IBM Security QRadar

 View Only
  • 1.  IP address in the event is not parseble/searchable

    Posted Tue April 05, 2022 07:01 AM
    Hi everyone,

    I am taking logs from an application which sends the IP addresses in the log as follows,

    Normal IP Address  ---- >  The IP Address in the log
    10.1.255.10             ----- >  010.001.255.010

    Even if I parse this event I cannot search it properly, cannot use it on correlations etc.

    Is there anyone who encountered this type of event?

    Do you have any recommendation to solve this issue?

    Thank you in advance.
    Regards.

    ------------------------------
    Halil BALIM
    ------------------------------


  • 2.  RE: IP address in the event is not parseble/searchable

    Posted Fri April 08, 2022 04:23 PM
    For the Source IP or Destination IP fields, you can use this RegEx:

    0{0,2}([1-9]\d{0,2})\.0{0,2}([1-9]\d{0,2})\.0{0,2}([1-9]\d{0,2})\.0{0,2}([1-9]\d{0,2})

    ...and this format string:

    $1.$2.$3.$4

    This will not work for custom extracted properties.  It only works for built-in IP address fields.  Note that the Regex I used is pretty sloppy, but likely to work anyway.  Feel free to clean it up if you like.

    ------------------------------
    Dan Zerkle
    ------------------------------



  • 3.  RE: IP address in the event is not parseble/searchable

    Posted Fri April 08, 2022 04:24 PM
    Also, please note that a much better solution is to find whoever formatted those terrible logs and tell them to use standard formatting for IPv4 IP addresses.

    ------------------------------
    Dan Zerkle
    ------------------------------