- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help with regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings, I am trying to write a regex but am not successful as of yet. I am trying to match the:
Bot: Mariposa Command and Control
Suspicious user-agent strings
Kelihos.Gen Command And Control Traffic
from these logs:
Dec 12 15:08:55 ngf01.ourdomain.com 1,2013/12/12 15:08:55,0009C101128,THREAT,spyware,1,2013/12/12 15:08:49,192.155.89.148,10.17.41.22,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,unknown-udp,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 15:08:55,1821341,1,7006,2059,0,0,0x80004000,udp,alert,"",Bot: Mariposa Command and Control(12652),any,critical,server-to-client,14479581293,0x0,United States,10.0.0.0-10.255.255.255,0,
Dec 12 14:42:37 ngf01.ourdomain.com 1,2013/12/12 14:42:37,0009C101128,THREAT,spyware,1,2013/12/12 14:42:31,82.80.204.14,10.33.112.112,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,web-browsing,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 14:42:36,2034205,1,80,52924,0,0,0x80004000,tcp,alert,"ceb.aspx",Suspicious user-agent strings(10004),any,medium,server-to-client,14477791661,0x0,Israel,10.0.0.0-10.255.255.255,0,
Dec 12 15:05:59 ngf01.ourdomain.com 1,2013/12/12 15:05:59,0009C101128,THREAT,spyware,1,2013/12/12 15:05:54,211.120.150.217,10.17.31.175,0.0.0.0,0.0.0.0,Enterprise-URL-Filter,,,unknown-tcp,vsys1,untrust,trust,ethernet1/2,ethernet1/1,Panorama-Log-Forwarding,2013/12/12 15:05:59,1312191,1,80,2091,0,0,0x80004000,tcp,alert,"",Kelihos.Gen Command And Control Traffic(13390),any,critical,server-to-client,14479382956,0x0,Japan,10.0.0.0-10.255.255.255,0,
Any help would be greatly appreciated!
Dave
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ugh, I think I can pull this out now. So PAN looks to the 5 digit code after the threat: 12652, 10004, 13390 (from above) and then looks up that code in a lookup to come up with the name of the threat.
I think I can take it from here. Thanks alacercogitatus for pointing me in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ugh, I think I can pull this out now. So PAN looks to the 5 digit code after the threat: 12652, 10004, 13390 (from above) and then looks up that code in a lookup to come up with the name of the threat.
I think I can take it from here. Thanks alacercogitatus for pointing me in the right direction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, so the PAN app has it, how do I find the regex or how it defines the "threat_id" field from the app?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is coming from a Palo Alto 5050. I am now looking through the PAN app. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where are the logs coming from? There might be an exisiting TA to handle extractions.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
