Currently I am extracting the URL and reverse IP address (D.C.B.A) from a DNS-related event. I would like to capture the IP address in the opposite order (A.B.C.D). I heard this may be possible with sed mode and or the use of backreferences but I haven't had any luck getting this to work. I have included a sample event and output below.
Please advise how to capture the reverse IP during field extraction. If this is not possible at the time of field extraction please advise how to output the desired result during a regular search (which could be used for a Dashboard).
Event:
Jan 1 00:00:00 locdet named[123456]: CEF:0|Infoblox|NIOS|7.3.6-335725|RPZ-IP|PASSTHRU|4|app=DNS dst=1.1.1.1 src=2.2.2.2 spt=12345 view=_default qtype=A msg="rpz IP PASSTHRU rewrite urlofinterest.com [A] via 32.D.C.B.A.rpz-ip.malware.rpz.infoblox.local"
RegEx:
^[^"\n]*"\w+\s+\w+\s+\w+\s+\w+\s+(?P\w+\.\w+\s+\[\w+\])[^\.\n]*\.(?P\b(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)
Fields Currently Extracted:
msg_domain=urlofinterest.com
msg_revIP=D.C.B.A
Desired Field Extracted:
msg_domain=urlofinterest.com
msg_revIP=A.B.C.D
Thanks
↧