Hi All
I am trying to create an alert that triggers whenever i receive a high risk notification from my IPS. I have my splunk search term below that returns the correct trap message, but i need to know how i can filter further by the victims network address. The victims IP is contained in the following line:
cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161
I would like to trigger my alert whenever this trap message comes in from any 10.37.0.0 source. I had a bash at regex but couldnt get past:
| rex field=cidsAlertVictimAddress
My Splunk query is this:
index=myindex source=ips sourcetype=ips_threat
What do i need to append my query with in order to only alert on the victimaddress sitting on network 10.37.0.0
The trap message looks like this:
11/22/2013 4:13 PM 123.123.123.123:123.123.123.123 CISCO-CIDS-MIB:ciscoCidsAlert SNMP Trap
Received Time:11/22/2013 4:13:58 PM
Source:456.456.456.456(456.456.456.456)
Community:public
Variable Bindings
sysUpTime:= 112 days 19 hours 59 minutes 37.05 seconds (974877705)
snmpTrapOID:= CISCO-CIDS-MIB:ciscoCidsAlert (1.3.6.1.4.1.9.9.383.0.1)
cidsGeneralEventId:= 1323036804139549916
cidsGeneralLocalTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
cidsGeneralUTCTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
cidsGeneralOriginatorHostId:= ZBTDCSRMP002
cidsAlertSeverity:= high
cidsAlertAlarmTraits:= 2147483648
cidsAlertSignature:= Community Invalid Length
cidsAlertSignatureSigName:= SNMP Protocol Violation
cidsAlertSignatureSigId:= 4507
cidsAlertSignatureSubSigId:= 6
cidsAlertSignatureVersion:= S17
cidsAlertInterfaceGroup:= 0
cidsAlertVlan:= 0
cidsAlertAttackerAddress:= 192.168.188.20:50556
cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161
cidsAlertDetails:= InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ;
cidsAlertEventRiskRating:= 100
cidsAlert.26:= 3
cidsAlert.27:= 17
cidsAlert.42:= 65
cidsAlert.46:= 1
any help appreciated
ta
Try following.
index=myindex source=ips sourcetype=ips_threat
| rex "(?<victim_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval shouldAlert=if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$"), "Yes", "No") | where shouldAlert="Yes"
Alert should be raised if above search returns rows.
This search is searching all the IPs in the form 10.37.XXX.XXX.
To search 10.37.0.XXX, use
"10\.37\.0\.\d{1,3}$".
There should work for you (tested with sample data you posted [should have done this earlier])
index=myindex source=ips sourcetype=ips_threat
| rex "cidsAlertVictimAddress.* (?<victim_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval shouldAlert=if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$"), "Yes", "No") | where shouldAlert="Yes"
You can add all thos in the shouldAlert eval command.e.g.
if(match(victim_ip, "10\.37\.\d{1,3}\.\d{1,3}$") OR match(victim_ip, "10\.28\.\d{1,3}\.\d{1,3}$"), "Yes", "No")
many thanks S - this worked a treat and does exactly what i need it to do. Without pushing you too much, how could i refine this search to include other network addresses i.e. 10.37 OR 10.28 OR 10.20.30 etc...
updated the answer.
thanks for your reply S
this search also produced no hits for me. Would your regex above search the whole trap message for a network address beginning 10.37? Reason i ask is that i do not see any reference directed at line cidsAlertVictimAddress? This is the line i need to focus on for generating an alert or search result.
From your post though i am gaining a better understanding of the regex query and i find the ability to change the victim ip search query quite useful as this is also a requirement of mine. cheers.
Your query should be something like this
index=myindex source=ips sourcetype=ips_threat | rex "(?m)osType=\W\S*\W\s(?P.*?)\:" | search VICTIM_IP="10.37.0.0"
Try this
index=myindex source=ips sourcetype=ips_threat | rex "(?i)(?P.*?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\:\d+" | search VICTIM_IP="10.37*"
Make sure the case of VICTIM_IP is same in the both the places in the query. For some reason this page is converting to lower case on the regex
thanks for the reply G
this did not produce any results i'm afraid. I notice your regex includes a reference to the osType. This could differ depending on the message coming in and may not be present in some trap messages.
From the following line:
cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161
I only need to search on the victim ip network address 10.37. i would just need to ignore all other characters on this line if possible.