Does splunk have any issues with parsing out IPv6 addresses from firewall events? I guess it all depends on how the transforms are written and how the fields are delimited (Cisco App written to parse IPv6).
Has anyone successfully parsed IPv6 or noticed any issues or caveats that we should be aware of?
There are several formats in which IPv6 can be displayed in your event log. You will want to use transforms.conf to find and parse these addresses. Here is a list of regex that matches the different forms. (The IPv4 address converted to IPv6 used in the examples below is 192.168.10.100 with a net mask of 255.255.255.0)
fe80:0000:0000:0000:0000:0000:c0a8:a64
Regex to match and return full address as $1:
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})
fe80:0:0:0:0:0:c0a8:a64
Regex to match and return full address as $1 (yes, its the same as the above):
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})
fe80::c0a8:a64
Regex to match collapsed zero groups. This will also work with collapsed zeros at the beginning of the address but not for single group addresses(e.g. '::1') and does not check for illegal IPv6 addresses (e.g. fe80::c0a8::a64):
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?)
To account for mixed IPv4 and IPv6 addresses, IPv6 allows for changing the last 4 bits to include the IPv4 address fe80:0000:0000:0000:0000:0000:c0a8:a64 would then be noted with the quad address at the end and become 'fe80:0000:0000:0000:0000:0000:192.168.10.100'.
fe80:0000:0000:0000:0000:0000:192.168.10.100
Regex to match:
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3})
fe80:0:0:0:0:0:192.168.10.100
Regex to match (same as above):
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3})
fe80::192.168.10.100
Regex to match:
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?(?:\d{1,3}.){3}\d{1,3})
Depending on the IPv6 address type that you are seeing in your events, you may want to tailor the regex to fit your IPv6 addresses more specifically.
Note that the IETF has proposed RFC 5952 to "define a canonical textual representation format" across all systems and codes. Currently, IPv6 is difficult to parse, and the wide range of regex rules is going to leave holes in many apps. Hopefully RFC 5952 will bring some sanity to this mess.
Certainly some example IPv6 addresses in the events themselves would be useful....
There are several formats in which IPv6 can be displayed in your event log. You will want to use transforms.conf to find and parse these addresses. Here is a list of regex that matches the different forms. (The IPv4 address converted to IPv6 used in the examples below is 192.168.10.100 with a net mask of 255.255.255.0)
fe80:0000:0000:0000:0000:0000:c0a8:a64
Regex to match and return full address as $1:
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})
fe80:0:0:0:0:0:c0a8:a64
Regex to match and return full address as $1 (yes, its the same as the above):
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4})
fe80::c0a8:a64
Regex to match collapsed zero groups. This will also work with collapsed zeros at the beginning of the address but not for single group addresses(e.g. '::1') and does not check for illegal IPv6 addresses (e.g. fe80::c0a8::a64):
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?)
To account for mixed IPv4 and IPv6 addresses, IPv6 allows for changing the last 4 bits to include the IPv4 address fe80:0000:0000:0000:0000:0000:c0a8:a64 would then be noted with the quad address at the end and become 'fe80:0000:0000:0000:0000:0000:192.168.10.100'.
fe80:0000:0000:0000:0000:0000:192.168.10.100
Regex to match:
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3})
fe80:0:0:0:0:0:192.168.10.100
Regex to match (same as above):
([0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:[0-9A-Fa-f]{1,4}:(?:\d{1,3}.){3}\d{1,3})
fe80::192.168.10.100
Regex to match:
(:?:?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[::]?[0-9A-Fa-f]{1,4}:?[[::]?[0-9A-Fa-f]{1,4}]?(?:\d{1,3}.){3}\d{1,3})
Depending on the IPv6 address type that you are seeing in your events, you may want to tailor the regex to fit your IPv6 addresses more specifically.
How do you use these in an actual search?
Can I use all 6 of these patterns and combine them into a single 'type' called 'IPv6 address'?