Hi All
I am trying to create an alert that triggers whenever i receive a high risk notification from my IPS. I have my splunk search term below that returns the correct trap message, but i need to know how i can filter further by the victims network address. The victims IP is contained in the following line:
cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161
I would like to trigger my alert whenever this trap message comes in from any 10.37.0.0 source. I had a bash at regex but couldnt get past:
| rex field=cidsAlertVictimAddress
My Splunk query is this:
index=myindex source=ips sourcetype=ips_threat
What do i need to append my query with in order to only alert on the victimaddress sitting on network 10.37.0.0
The trap message looks like this:
11/22/2013 4:13 PM 123.123.123.123:123.123.123.123 CISCO-CIDS-MIB:ciscoCidsAlert SNMP Trap
Received Time:11/22/2013 4:13:58 PM
Source:456.456.456.456(456.456.456.456)
Community:public
Variable Bindings
sysUpTime:= 112 days 19 hours 59 minutes 37.05 seconds (974877705)
snmpTrapOID:= CISCO-CIDS-MIB:ciscoCidsAlert (1.3.6.1.4.1.9.9.383.0.1)
cidsGeneralEventId:= 1323036804139549916
cidsGeneralLocalTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
cidsGeneralUTCTime:= 11/22/2013 4:13:58 PM (B90LFhANOgA=)
cidsGeneralOriginatorHostId:= ZBTDCSRMP002
cidsAlertSeverity:= high
cidsAlertAlarmTraits:= 2147483648
cidsAlertSignature:= Community Invalid Length
cidsAlertSignatureSigName:= SNMP Protocol Violation
cidsAlertSignatureSigId:= 4507
cidsAlertSignatureSubSigId:= 6
cidsAlertSignatureVersion:= S17
cidsAlertInterfaceGroup:= 0
cidsAlertVlan:= 0
cidsAlertAttackerAddress:= 192.168.188.20:50556
cidsAlertVictimAddress:= osIdSource="unknown" osRelevance="relevant" osType="unknown" 10.37.99.223:161
cidsAlertDetails:= InterfaceAttributes: context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ;
cidsAlertEventRiskRating:= 100
cidsAlert.26:= 3
cidsAlert.27:= 17
cidsAlert.42:= 65
cidsAlert.46:= 1
any help appreciated ta