fix: updating ipv6-v4 regex in data models

[harshilgajera-crest]

Current regex for data models support only basic ipv6 regex.

Support for advanced representation of ipv6 is required, hence this pr supports that.

ref: ipv6 represenation - https://en.wikipedia.org/wiki/IPv6#Address_representation

Tested it with gcp addon which as combination of ipv4 and v6 samples in host fields, also tested it on https://github.com/splunk/splunk-add-on-for-okta-identity-cloud/pull/261 where advanced ipv6 represenation is present

Added e2e test which tests extraction of some ipv6 formats using src_ip and dest_ip fields in network_traffic data model

Tested regex with below samples:
Regex : (?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3})

1234::
2001:db8::
::1334
::
::1325
2001:0db8::1:2:3456
2001::1:2:3
2001:db8::1:2
::ffff:192.168.1.1
::
::ffff:192.168.1.112
::1
2001:0db8::1:2:3
0000:0000:0000:0000:0000:0000:0000:0001
ff02:0000:0000:0000:0000:0000:0000:0001
fe80:0000:0000:0000:a299:9bff:fe18:50d1
2001:0db8:1111:000a:00b0:0000:9000:0200
2001:0db8:0000:0000:abcd:0000:0000:1234
2001:0db8:cafe:0001:0000:0000:0000:0100
2001:0db8:cafe:0001:0000:0000:0000:0200
2001:db80:1000:a000:0000:bc00:abcd:d0b0
1:2:3:4:5:6:7::
fe80::a299:9bff:fe18:50d1
::3212
::1212
2001::abcd::1234
2001:db80:1000:a000:0000:bc00:abcd:d0b0
2001::abcd
2001:0000:0000:0000:abcd:0000:0000:1234
2001:0000:0000:abcd:0000:0000:0000:1234
2001:0000:abcd:0000:0000:0000:0000:1234
2001:db8:1111:a:b0:0:9000:200
fe80:0:0:0:a299:9bff:fe18:50d1
0:0:0:0:0:0:0:1
0000:0000:0000:0000:0000:0000:0000:0001
0:0:0:0:0:0:ffff:192.168.10.10
2001:0000:0000:0000:0000:abcd:0000:1
::ffff:192.168.10.10
2001:0db8::1:2:3

[artemrys]

Can we have more IPv6-related tests in sample_requirement.xml file? You mention in the description of this PR that you tested a bunch of different combinations - did you test them manually? Can we bring them into PSA's pipeline?

[harshilgajera-crest]

Can we have more IPv6-related tests in sample_requirement.xml file? You mention in the description of this PR that you tested a bunch of different combinations - did you test them manually? Can we bring them into PSA's pipeline?

So I tested them on regex101 with all the sample, I have provided the regex and ipv6 samples in description

[harshilgajera-crest]

Can we have more IPv6-related tests in sample_requirement.xml file? You mention in the description of this PR that you tested a bunch of different combinations - did you test them manually? Can we bring them into PSA's pipeline?

Let me see if I can somehow tokenize the events because otherwise it would not be possible we would have to copy paste events 30-40 times.

[artemrys]

@hsekowski-splunk can you please review as well?

[hsekowski-splunk]

@artemrys ,
you did awesome review so no much to do for me
my focus was on tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf to make sure representations required by SMEs are reflected

@harshilgajera-crest ,
great job!
thank you :)

[srv-rr-github-token]

🎉 This PR is included in version 5.2.6 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀