From 546bfad4d33b797e286f2c4ea95ceed98ff147d5 Mon Sep 17 00:00:00 2001 From: Harshil Gajera Date: Fri, 3 May 2024 15:44:22 +0530 Subject: [PATCH 1/8] fix: enhancing ipv6-v4 regex --- .../standard_lib/data_models/Intrusion_Detection.json | 4 ++-- .../standard_lib/data_models/Network_Resolution.json | 4 ++-- .../standard_lib/data_models/Network_Traffic.json | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/pytest_splunk_addon/standard_lib/data_models/Intrusion_Detection.json b/pytest_splunk_addon/standard_lib/data_models/Intrusion_Detection.json index 8bbb07e3d..7d50d8b00 100644 --- a/pytest_splunk_addon/standard_lib/data_models/Intrusion_Detection.json +++ b/pytest_splunk_addon/standard_lib/data_models/Intrusion_Detection.json @@ -23,7 +23,7 @@ "name": "dest", "type": "conditional", "condition": "ids_type=\"network\"", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", + "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name." }, { @@ -76,7 +76,7 @@ "name": "src", "type": "conditional", "condition": "ids_type=\"network\"", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", + "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source involved in the attack detected by the IDS. You can alias this from more specific fields not included in this data model, such as src_host, src_ip, or src_name." }, { diff --git a/pytest_splunk_addon/standard_lib/data_models/Network_Resolution.json b/pytest_splunk_addon/standard_lib/data_models/Network_Resolution.json index 2ac852606..656b26a95 100644 --- a/pytest_splunk_addon/standard_lib/data_models/Network_Resolution.json +++ b/pytest_splunk_addon/standard_lib/data_models/Network_Resolution.json @@ -38,7 +38,7 @@ { "name": "dest", "type": "required", - "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(dest,\"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", + "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the network resolution event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." }, { @@ -151,7 +151,7 @@ { "name": "src", "type": "required", - "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(src,\"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", + "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source of the network resolution event. You can alias this from more specific fields, such as src_host, src_ip, or src_name." }, { diff --git a/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json b/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json index 05126fb47..18bbeaf53 100644 --- a/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json +++ b/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json @@ -53,7 +53,7 @@ { "name": "dest", "type": "required", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", + "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." }, { @@ -65,7 +65,7 @@ "name": "dest_ip", "type": "conditional", "condition": "dest_ip=*", - "validity": "if(match(dest_ip, \"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"),dest_ip,null())", + "validity": "if(match(dest_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),dest_ip,null())", "comment": "The IP address of the destination." }, { @@ -168,7 +168,7 @@ { "name": "protocol", "type": "conditional", - "condition": "| where match(src, \"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\") or match(dest, \"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\")", + "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\") or match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", "expected_values": ["ip", "icmp"], "comment": "The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx." }, @@ -198,7 +198,7 @@ { "name": "src", "type": "required", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", + "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source of the network traffic (the client requesting the connection). You can alias this from more specific fields, such as src_host, src_ip, or src_name.'" }, { @@ -270,7 +270,7 @@ "name": "src_ip", "type": "conditional", "condition": "src_ip=*", - "validity": "if(match(src_ip, \"(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}|(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\\.|$)){4}\"),src_ip,null())", + "validity": "if(match(src_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),src_ip,null())", "comment": "The ip address of the source." }, { From 5c5536eacde1ecccefadbfb45ffca9d0a8db0dda Mon Sep 17 00:00:00 2001 From: harshilgajera-crest <69803385+harshilgajera-crest@users.noreply.github.com> Date: Tue, 7 May 2024 14:23:35 +0530 Subject: [PATCH 2/8] Ci/adding e2e tests (#832) --- .github/workflows/build-test-release.yml | 1 + Dockerfile.tests | 2 +- tests/e2e/addons/TA_cim_addon/app.manifest | 53 +++++++++++ .../e2e/addons/TA_cim_addon/default/app.conf | 20 ++++ .../TA_cim_addon/default/eventtypes.conf | 11 +++ .../addons/TA_cim_addon/default/props.conf | 17 ++++ .../default/pytest-splunk-addon-data.conf | 44 +++++++++ .../e2e/addons/TA_cim_addon/default/tags.conf | 12 +++ .../TA_cim_addon/default/transforms.conf | 0 .../addons/TA_cim_addon/metadata/default.meta | 10 ++ .../TA_cim_addon/samples/result_mapping | 3 + .../samples/sample_requirement.xml | 91 +++++++++++++++++++ tests/e2e/constants.py | 6 +- tests/e2e/test_splunk_addon.py | 49 ++++++++++ 14 files changed, 317 insertions(+), 2 deletions(-) create mode 100644 tests/e2e/addons/TA_cim_addon/app.manifest create mode 100644 tests/e2e/addons/TA_cim_addon/default/app.conf create mode 100644 tests/e2e/addons/TA_cim_addon/default/eventtypes.conf create mode 100644 tests/e2e/addons/TA_cim_addon/default/props.conf create mode 100644 tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf create mode 100644 tests/e2e/addons/TA_cim_addon/default/tags.conf create mode 100644 tests/e2e/addons/TA_cim_addon/default/transforms.conf create mode 100644 tests/e2e/addons/TA_cim_addon/metadata/default.meta create mode 100644 tests/e2e/addons/TA_cim_addon/samples/result_mapping create mode 100644 tests/e2e/addons/TA_cim_addon/samples/sample_requirement.xml diff --git a/.github/workflows/build-test-release.yml b/.github/workflows/build-test-release.yml index d14e91ff0..45dd488bf 100644 --- a/.github/workflows/build-test-release.yml +++ b/.github/workflows/build-test-release.yml @@ -170,6 +170,7 @@ jobs: "splunk_setup_fixture", "splunk_app_req", "splunk_app_req_broken", + "splunk_cim_model_ipv6_regex", ] steps: - uses: actions/checkout@v4 diff --git a/Dockerfile.tests b/Dockerfile.tests index 8d2ad273f..f0f11fb27 100644 --- a/Dockerfile.tests +++ b/Dockerfile.tests @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. # -FROM ubuntu:latest +FROM ubuntu:22.04 RUN mkdir -p /work/tests RUN mkdir -p /work/test-results/functional diff --git a/tests/e2e/addons/TA_cim_addon/app.manifest b/tests/e2e/addons/TA_cim_addon/app.manifest new file mode 100644 index 000000000..3a0ec6a1e --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/app.manifest @@ -0,0 +1,53 @@ +{ + "schemaVersion": "2.0.0", + "info": { + "title": "TA_transition_from_req", + "id": { + "group": null, + "name": "TA_transition_from_req", + "version": "0.0.0-dev" + }, + "author": [ + { + "name": "Splunk Inc.", + "email": "support@splunk.com", + "company": "Splunk, Inc." + } + ], + "releaseDate": null, + "description": "TA IN DEV UNKNOWN", + "classification": { + "intendedAudience": null, + "categories": [], + "developmentStatus": null + }, + "commonInformationModels": null, + "license": { + "name": "Splunk EULA", + "text": null, + "uri": "LICENSE" + }, + "privacyPolicy": { + "name": null, + "text": null, + "uri": null + }, + "releaseNotes": { + "name": null, + "text": null, + "uri": null + } + }, + "dependencies": { + }, + "tasks": [], + "inputGroups": { + }, + "incompatibleApps": { + }, + "platformRequirements": { + "splunk": { + "Enterprise": "*" + } + } +} diff --git a/tests/e2e/addons/TA_cim_addon/default/app.conf b/tests/e2e/addons/TA_cim_addon/default/app.conf new file mode 100644 index 000000000..8de25f2aa --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/default/app.conf @@ -0,0 +1,20 @@ +# this add-on is powered by splunk Add-on builder +[install] +state_change_requires_restart = true +build = 2 + +[launcher] +author =Splunk Inc.x +version =0.0.0-dev + +[ui] +is_visible = 0 +label = TA_transition_from_req +docs_section_override = AddOns:released + +[package] +id =TA_transition_from_req + +[id] +name =TA_transition_from_req +version =0.0.0-dev diff --git a/tests/e2e/addons/TA_cim_addon/default/eventtypes.conf b/tests/e2e/addons/TA_cim_addon/default/eventtypes.conf new file mode 100644 index 000000000..6b9f67e0b --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/default/eventtypes.conf @@ -0,0 +1,11 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +; [test_auth] +; search = sourcetype=test:data:1 AND action IN ("success","failure","error") + +[test_ipv6] +search = sourcetype=test:ipv6 \ No newline at end of file diff --git a/tests/e2e/addons/TA_cim_addon/default/props.conf b/tests/e2e/addons/TA_cim_addon/default/props.conf new file mode 100644 index 000000000..39edb655a --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/default/props.conf @@ -0,0 +1,17 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +; [test:data:1] +; FIELDALIAS-dest = host AS dest +; FIELDALIAS-action = result AS action +; EVAL-app = "psa" +; FIELDALIAS-user = tester AS user +; FIELDALIAS-src = ip AS src +; EVAL-status = case(action=="success", "PASS", action=="failure", "FAIL", 0==0, "OTHER") + +[test:ipv6] +FIELDALIAS-client_ipAddress_as_src_ip = client.ipAddress AS src_ip +FIELDALIAS-client_destadd_as_dest_ip = client.destadd AS dest_ip diff --git a/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf b/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf new file mode 100644 index 000000000..e09773ce0 --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf @@ -0,0 +1,44 @@ +; [sample_modinput.xml] +; requirement_test_sample = 1 +; interval = 120 +; earliest = -2m +; latest = now +; source = test_data.1 +; sourcetype = test:data:1 +; count = 100 +; input_type = modinput +; host_type = plugin +; sourcetype_to_search = test:data:1 +; host = so1 +; timestamp_type = event +; +; token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} +; token.0.replacementType = timestamp +; token.0.replacement = %Y-%m-%d %H:%M:%S +; token.0.field = _time +; +; token.1.token = ##dest_ipv4## +; token.1.replacementType = random +; token.1.replacement = dest["ipv4"] +; +; token.2.token = ##result## +; token.2.replacementType = all +; token.2.replacement = file[$SPLUNK_HOME/etc/apps/TA_transition_from_req/samples/result_mapping:1] +; +; token.3.token = ##result_mapping## +; token.3.replacementType = all +; token.3.replacement = file[$SPLUNK_HOME/etc/apps/TA_transition_from_req/samples/result_mapping:2] + +[sample_requirement.xml] +requirement_test_sample = 1 +interval = 30 +earliest = -60m +latest = now +sourcetype = test:ipv6 +source = test_okta +maxIntervalsBeforeFlush = 1 +input_type = modinput +host_type = plugin +sourcetype_to_search = test:ipv6 +timestamp_type = plugin +expected_event_count = 3 diff --git a/tests/e2e/addons/TA_cim_addon/default/tags.conf b/tests/e2e/addons/TA_cim_addon/default/tags.conf new file mode 100644 index 000000000..1ad01eda8 --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/default/tags.conf @@ -0,0 +1,12 @@ +## +## SPDX-FileCopyrightText: 2021 Splunk, Inc. +## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 +## +## + +; [eventtype=test_auth] +; authentication = enabled + +[eventtype=test_ipv6] +network = enabled +communicate = enabled \ No newline at end of file diff --git a/tests/e2e/addons/TA_cim_addon/default/transforms.conf b/tests/e2e/addons/TA_cim_addon/default/transforms.conf new file mode 100644 index 000000000..e69de29bb diff --git a/tests/e2e/addons/TA_cim_addon/metadata/default.meta b/tests/e2e/addons/TA_cim_addon/metadata/default.meta new file mode 100644 index 000000000..55207d987 --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/metadata/default.meta @@ -0,0 +1,10 @@ + +# This is a TA, so export almost everything + +[] +access = read : [ * ], write : [ admin, power ] +export = system + +# Do not export commands +[commands] +export = none diff --git a/tests/e2e/addons/TA_cim_addon/samples/result_mapping b/tests/e2e/addons/TA_cim_addon/samples/result_mapping new file mode 100644 index 000000000..d7370d211 --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/samples/result_mapping @@ -0,0 +1,3 @@ +success,PASS +failure,FAIL +error,OTHER \ No newline at end of file diff --git a/tests/e2e/addons/TA_cim_addon/samples/sample_requirement.xml b/tests/e2e/addons/TA_cim_addon/samples/sample_requirement.xml new file mode 100644 index 000000000..df5e6f92a --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/samples/sample_requirement.xml @@ -0,0 +1,91 @@ + + + OKTA + OKTA Identity Cloud + + + + 2023.10.0 + + + + generated, Generated from lab environment + + + + + Network_Traffic + + + + + + + bytes + bytes_in + bytes_out + dest_port + dest_zone + src_port + src_translated_ip + src_zone + + + + + 2023.10.0 + + + + generated, Generated from lab environment + + + + + Network_Traffic + + + + + + + bytes + bytes_in + bytes_out + dest_port + dest_zone + src_port + src_translated_ip + src_zone + + + + + 2023.10.0 + + + + generated, Generated from lab environment + + + + + Network_Traffic + + + + + + + bytes + bytes_in + bytes_out + dest_port + dest_zone + src_port + src_translated_ip + src_zone + + + + diff --git a/tests/e2e/constants.py b/tests/e2e/constants.py index 72b553616..c97098fa4 100644 --- a/tests/e2e/constants.py +++ b/tests/e2e/constants.py @@ -761,7 +761,6 @@ "*test_splunk_fiction_indextime_broken.py::Test_App::test_requirements_fields[splunk_searchtime_fields_requirements0* SKIPPED*", "*test_splunk_fiction_indextime_broken.py::Test_App::test_cim_fields_recommended[splunk_searchtime_cim_fields_recommended0* SKIPPED*", ] - TA_REQ_TRANSITION_PASSED = [ "*test_splunk_app_req.py::Test_App::test_events_with_untokenised_values PASSED*", "*test_splunk_app_req.py::Test_App::test_indextime_time[test:data:1::* PASSED*", @@ -922,3 +921,8 @@ "*test_splunk_app_req_broken.py::Test_App::test_props_fields_no_dash_not_empty[splunk_searchtime_fields_negative0* SKIPPED*", "*test_splunk_app_req_broken.py::Test_App::test_savedsearches[splunk_searchtime_fields_savedsearches0* SKIPPED*", ] + +TA_CIM_MODEL_RESULT = [ + '*test_splunk_cim_model_ipv6_regex.py::Test_App::test_cim_required_fields[eventtype="test_ipv6"::All_Traffic::dest_ip* PASSED*', + '*test_splunk_cim_model_ipv6_regex.py::Test_App::test_cim_required_fields[eventtype="test_ipv6"::All_Traffic::src_ip* PASSED*', +] diff --git a/tests/e2e/test_splunk_addon.py b/tests/e2e/test_splunk_addon.py index 0ec0c3f1c..a36b6b72d 100644 --- a/tests/e2e/test_splunk_addon.py +++ b/tests/e2e/test_splunk_addon.py @@ -741,6 +741,55 @@ def empty_method(): assert result.ret == 0, "result not equal to 0" +@pytest.mark.docker +@pytest.mark.splunk_cim_model_ipv6_regex +def test_splunk_cim_model_ipv6_regex(testdir, request): + """ + In this test we are only checking if src_ip and dest_ip are extracted and are valid and tests are passing + Both these fields contains diff advanced form of ipv6 formats which would then be extracted via fields in data modles + """ + testdir.makepyfile( + """ + from pytest_splunk_addon.standard_lib.addon_basic import Basic + class Test_App(Basic): + def empty_method(): + pass + """ + ) + + shutil.copytree( + os.path.join(testdir.request.fspath.dirname, "addons/TA_cim_addon"), + os.path.join(testdir.tmpdir, "package"), + ) + + shutil.copytree( + os.path.join(testdir.request.fspath.dirname, "test_data_models"), + os.path.join(testdir.tmpdir, "tests/data_models"), + ) + + setup_test_dir(testdir) + SampleGenerator.clean_samples() + Rule.clean_rules() + + # run pytest with the following cmd args + result = testdir.runpytest( + f"--splunk-version={request.config.getoption('splunk_version')}", + "--splunk-type=docker", + "-v", + "--search-interval=2", + "--search-retry=4", + "--search-index=*", + "--splunk-data-generator=tests/addons/TA_transition_from_req/default", + "-k test_cim_required_fields", + ) + logger.info(result.outlines) + + result.stdout.fnmatch_lines_random(constants.TA_CIM_MODEL_RESULT) + + # make sure that we get a non '0' exit code for the testsuite as it contains failure + assert result.ret != 0, "result not equal to 0" + + @pytest.mark.test_infinite_loop_fixture @pytest.mark.external def test_infinite_loop_in_ingest_data_fixture(testdir, request): From 0e3d26b49e30bd3c827926e287919b6a7511727c Mon Sep 17 00:00:00 2001 From: Harshil Gajera Date: Tue, 7 May 2024 16:18:42 +0530 Subject: [PATCH 3/8] ci: cleanup test addon --- .../e2e/addons/TA_cim_addon/default/app.conf | 7 ++--- .../TA_cim_addon/default/eventtypes.conf | 9 ------ .../addons/TA_cim_addon/default/props.conf | 14 --------- .../default/pytest-splunk-addon-data.conf | 31 ------------------- .../e2e/addons/TA_cim_addon/default/tags.conf | 9 ------ .../TA_cim_addon/default/transforms.conf | 0 6 files changed, 3 insertions(+), 67 deletions(-) delete mode 100644 tests/e2e/addons/TA_cim_addon/default/transforms.conf diff --git a/tests/e2e/addons/TA_cim_addon/default/app.conf b/tests/e2e/addons/TA_cim_addon/default/app.conf index 8de25f2aa..c4948f351 100644 --- a/tests/e2e/addons/TA_cim_addon/default/app.conf +++ b/tests/e2e/addons/TA_cim_addon/default/app.conf @@ -1,4 +1,3 @@ -# this add-on is powered by splunk Add-on builder [install] state_change_requires_restart = true build = 2 @@ -9,12 +8,12 @@ version =0.0.0-dev [ui] is_visible = 0 -label = TA_transition_from_req +label = TA_cim_addon docs_section_override = AddOns:released [package] -id =TA_transition_from_req +id =TA_cim_addon [id] -name =TA_transition_from_req +name =TA_cim_addon version =0.0.0-dev diff --git a/tests/e2e/addons/TA_cim_addon/default/eventtypes.conf b/tests/e2e/addons/TA_cim_addon/default/eventtypes.conf index 6b9f67e0b..7931862fb 100644 --- a/tests/e2e/addons/TA_cim_addon/default/eventtypes.conf +++ b/tests/e2e/addons/TA_cim_addon/default/eventtypes.conf @@ -1,11 +1,2 @@ -## -## SPDX-FileCopyrightText: 2021 Splunk, Inc. -## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 -## -## - -; [test_auth] -; search = sourcetype=test:data:1 AND action IN ("success","failure","error") - [test_ipv6] search = sourcetype=test:ipv6 \ No newline at end of file diff --git a/tests/e2e/addons/TA_cim_addon/default/props.conf b/tests/e2e/addons/TA_cim_addon/default/props.conf index 39edb655a..8d7e87dcf 100644 --- a/tests/e2e/addons/TA_cim_addon/default/props.conf +++ b/tests/e2e/addons/TA_cim_addon/default/props.conf @@ -1,17 +1,3 @@ -## -## SPDX-FileCopyrightText: 2021 Splunk, Inc. -## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 -## -## - -; [test:data:1] -; FIELDALIAS-dest = host AS dest -; FIELDALIAS-action = result AS action -; EVAL-app = "psa" -; FIELDALIAS-user = tester AS user -; FIELDALIAS-src = ip AS src -; EVAL-status = case(action=="success", "PASS", action=="failure", "FAIL", 0==0, "OTHER") - [test:ipv6] FIELDALIAS-client_ipAddress_as_src_ip = client.ipAddress AS src_ip FIELDALIAS-client_destadd_as_dest_ip = client.destadd AS dest_ip diff --git a/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf b/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf index e09773ce0..5595c5680 100644 --- a/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf +++ b/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf @@ -1,34 +1,3 @@ -; [sample_modinput.xml] -; requirement_test_sample = 1 -; interval = 120 -; earliest = -2m -; latest = now -; source = test_data.1 -; sourcetype = test:data:1 -; count = 100 -; input_type = modinput -; host_type = plugin -; sourcetype_to_search = test:data:1 -; host = so1 -; timestamp_type = event -; -; token.0.token = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} -; token.0.replacementType = timestamp -; token.0.replacement = %Y-%m-%d %H:%M:%S -; token.0.field = _time -; -; token.1.token = ##dest_ipv4## -; token.1.replacementType = random -; token.1.replacement = dest["ipv4"] -; -; token.2.token = ##result## -; token.2.replacementType = all -; token.2.replacement = file[$SPLUNK_HOME/etc/apps/TA_transition_from_req/samples/result_mapping:1] -; -; token.3.token = ##result_mapping## -; token.3.replacementType = all -; token.3.replacement = file[$SPLUNK_HOME/etc/apps/TA_transition_from_req/samples/result_mapping:2] - [sample_requirement.xml] requirement_test_sample = 1 interval = 30 diff --git a/tests/e2e/addons/TA_cim_addon/default/tags.conf b/tests/e2e/addons/TA_cim_addon/default/tags.conf index 1ad01eda8..219722b8f 100644 --- a/tests/e2e/addons/TA_cim_addon/default/tags.conf +++ b/tests/e2e/addons/TA_cim_addon/default/tags.conf @@ -1,12 +1,3 @@ -## -## SPDX-FileCopyrightText: 2021 Splunk, Inc. -## SPDX-License-Identifier: LicenseRef-Splunk-8-2021 -## -## - -; [eventtype=test_auth] -; authentication = enabled - [eventtype=test_ipv6] network = enabled communicate = enabled \ No newline at end of file diff --git a/tests/e2e/addons/TA_cim_addon/default/transforms.conf b/tests/e2e/addons/TA_cim_addon/default/transforms.conf deleted file mode 100644 index e69de29bb..000000000 From 05ce803b6eac32f40f9f378e50294684cf112001 Mon Sep 17 00:00:00 2001 From: harshilgajera-crest <69803385+harshilgajera-crest@users.noreply.github.com> Date: Wed, 8 May 2024 12:30:11 +0530 Subject: [PATCH 4/8] Update test_splunk_addon.py --- tests/e2e/test_splunk_addon.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/e2e/test_splunk_addon.py b/tests/e2e/test_splunk_addon.py index a36b6b72d..f670c550e 100644 --- a/tests/e2e/test_splunk_addon.py +++ b/tests/e2e/test_splunk_addon.py @@ -779,7 +779,7 @@ def empty_method(): "--search-interval=2", "--search-retry=4", "--search-index=*", - "--splunk-data-generator=tests/addons/TA_transition_from_req/default", + "--splunk-data-generator=tests/addons/TA_cim_addon/default", "-k test_cim_required_fields", ) logger.info(result.outlines) From 3015559a72a05671687e28924284cd7ce2ed174e Mon Sep 17 00:00:00 2001 From: Harshil Gajera Date: Wed, 8 May 2024 14:21:24 +0530 Subject: [PATCH 5/8] ci: updating e2e tests --- .../default/pytest-splunk-addon-data.conf | 9 +- .../TA_cim_addon/samples/result_mapping | 3 - .../samples/sample_requirement.xml | 91 ------------------- .../addons/TA_cim_addon/samples/test_sample | 1 + tests/e2e/test_splunk_addon.py | 2 +- 5 files changed, 8 insertions(+), 98 deletions(-) delete mode 100644 tests/e2e/addons/TA_cim_addon/samples/result_mapping delete mode 100644 tests/e2e/addons/TA_cim_addon/samples/sample_requirement.xml create mode 100644 tests/e2e/addons/TA_cim_addon/samples/test_sample diff --git a/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf b/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf index 5595c5680..07be16fb8 100644 --- a/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf +++ b/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf @@ -1,5 +1,4 @@ -[sample_requirement.xml] -requirement_test_sample = 1 +[test_sample] interval = 30 earliest = -60m latest = now @@ -10,4 +9,8 @@ input_type = modinput host_type = plugin sourcetype_to_search = test:ipv6 timestamp_type = plugin -expected_event_count = 3 +expected_event_count = 35 + +token.0.token = ##ip_address## +token.0.replacementType = all +token.0.replacement = list["1234::", "2001:db8::", "::1334", "::", "::1325", "2001:0db8::1:2:3456", "2001::1:2:3", "2001:db8::1:2", "::ffff:192.168.1.1", "::ffff:192.168.1.112", "::1", "2001:0db8::1:2:3", "ff02:0000:0000:0000:0000:0000:0000:0001", "fe80:0000:0000:0000:a299:9bff:fe18:50d1", "2001:0db8:1111:000a:00b0:0000:9000:0200", "2001:0db8:0000:0000:abcd:0000:0000:1234","2001:0db8:cafe:0001:0000:0000:0000:0100", "2001:0db8:cafe:0001:0000:0000:0000:0200", "1:2:3:4:5:6:7::", "fe80::a299:9bff:fe18:50d1", "::3212", "::1212", "2001::abcd::1234", "2001:db80:1000:a000:0000:bc00:abcd:d0b0","2001::abcd", "2001:0000:0000:0000:abcd:0000:0000:1234", "2001:0000:0000:abcd:0000:0000:0000:1234", "2001:0000:abcd:0000:0000:0000:0000:1234", "2001:db8:1111:a:b0:0:9000:200", "fe80:0:0:0:a299:9bff:fe18:50d1", "0:0:0:0:0:0:0:1", "0000:0000:0000:0000:0000:0000:0000:0001","0:0:0:0:0:0:ffff:192.168.10.10", "2001:0000:0000:0000:0000:abcd:0000:1", "::ffff:192.168.10.10"] \ No newline at end of file diff --git a/tests/e2e/addons/TA_cim_addon/samples/result_mapping b/tests/e2e/addons/TA_cim_addon/samples/result_mapping deleted file mode 100644 index d7370d211..000000000 --- a/tests/e2e/addons/TA_cim_addon/samples/result_mapping +++ /dev/null @@ -1,3 +0,0 @@ -success,PASS -failure,FAIL -error,OTHER \ No newline at end of file diff --git a/tests/e2e/addons/TA_cim_addon/samples/sample_requirement.xml b/tests/e2e/addons/TA_cim_addon/samples/sample_requirement.xml deleted file mode 100644 index df5e6f92a..000000000 --- a/tests/e2e/addons/TA_cim_addon/samples/sample_requirement.xml +++ /dev/null @@ -1,91 +0,0 @@ - - - OKTA - OKTA Identity Cloud - - - - 2023.10.0 - - - - generated, Generated from lab environment - - - - - Network_Traffic - - - - - - - bytes - bytes_in - bytes_out - dest_port - dest_zone - src_port - src_translated_ip - src_zone - - - - - 2023.10.0 - - - - generated, Generated from lab environment - - - - - Network_Traffic - - - - - - - bytes - bytes_in - bytes_out - dest_port - dest_zone - src_port - src_translated_ip - src_zone - - - - - 2023.10.0 - - - - generated, Generated from lab environment - - - - - Network_Traffic - - - - - - - bytes - bytes_in - bytes_out - dest_port - dest_zone - src_port - src_translated_ip - src_zone - - - - diff --git a/tests/e2e/addons/TA_cim_addon/samples/test_sample b/tests/e2e/addons/TA_cim_addon/samples/test_sample new file mode 100644 index 000000000..4205ff419 --- /dev/null +++ b/tests/e2e/addons/TA_cim_addon/samples/test_sample @@ -0,0 +1 @@ +{"actor": {"id": "spr6w8a2l2V88E3nk5d7", "type": "SystemPrincipal", "alternateId": "system@okta.com", "displayName": "Okta System", "detailEntry": null}, "client": {"userAgent": {"rawUserAgent": "Splunk Add-on for Okta Identity Cloud", "os": "Unknown", "browser": "UNKNOWN"}, "zone": "null", "device": "Unknown", "id": null, "ipAddress": "##ip_address##", "destadd": "0:0:0:0:0:0:0:1", "geographicalContext": null}, "device": null, "authenticationContext": {"authenticationProvider": null, "credentialProvider": null, "credentialType": null, "issuer": null, "interface": null, "authenticationStep": 0, "externalSessionId": null}, "displayMessage": "Blocked request from IP: 68c6:7554::89", "eventType": "security.request.blocked", "outcome": {"result": "SUCCESS", "reason": "NETWORK_ZONE_BLACKLIST"}, "published": "2023-10-11T10:28:27.114Z", "securityContext": {"asNumber": null, "asOrg": null, "isp": null, "domain": null, "isProxy": null}, "severity": "WARN", "debugContext": {"debugData": {"requestId": "ZSZ4y03BLKYbIGjkjkgRvgAADhk", "requestUri": "/api/v1/logs", "url": "/api/v1/logs?limit=1000&since=2023-10-11T09%3A01%3A17.417Z&until=2023-10-11T10%3A27%3A56.967Z"}}, "legacyEventType": "security.zone.request.blocked", "transaction": {"type": "WEB", "id": "ZSZ4y03BLKYbIGjkjkgRvgAADhk", "detail": {}}, "uuid": "ea1dfcef-6820-11ee-bb11-f3c3bf8f14d1", "version": "0", "request": {"ipChain": [{"ip": "68c6:7554::89", "geographicalContext": null, "version": "V4", "source": null}]}, "target": null}]] \ No newline at end of file diff --git a/tests/e2e/test_splunk_addon.py b/tests/e2e/test_splunk_addon.py index a36b6b72d..f670c550e 100644 --- a/tests/e2e/test_splunk_addon.py +++ b/tests/e2e/test_splunk_addon.py @@ -779,7 +779,7 @@ def empty_method(): "--search-interval=2", "--search-retry=4", "--search-index=*", - "--splunk-data-generator=tests/addons/TA_transition_from_req/default", + "--splunk-data-generator=tests/addons/TA_cim_addon/default", "-k test_cim_required_fields", ) logger.info(result.outlines) From 06493d36ae8db8273e47688d7970dd42ce67ec3a Mon Sep 17 00:00:00 2001 From: Harshil Gajera Date: Wed, 8 May 2024 14:24:47 +0530 Subject: [PATCH 6/8] ci: updating manifest file --- tests/e2e/addons/TA_cim_addon/app.manifest | 4 ++-- tests/e2e/test_splunk_addon.py | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/e2e/addons/TA_cim_addon/app.manifest b/tests/e2e/addons/TA_cim_addon/app.manifest index 3a0ec6a1e..ebd7634ca 100644 --- a/tests/e2e/addons/TA_cim_addon/app.manifest +++ b/tests/e2e/addons/TA_cim_addon/app.manifest @@ -1,10 +1,10 @@ { "schemaVersion": "2.0.0", "info": { - "title": "TA_transition_from_req", + "title": "TA_cim_addon", "id": { "group": null, - "name": "TA_transition_from_req", + "name": "TA_cim_addon", "version": "0.0.0-dev" }, "author": [ diff --git a/tests/e2e/test_splunk_addon.py b/tests/e2e/test_splunk_addon.py index f670c550e..49854518f 100644 --- a/tests/e2e/test_splunk_addon.py +++ b/tests/e2e/test_splunk_addon.py @@ -746,7 +746,7 @@ def empty_method(): def test_splunk_cim_model_ipv6_regex(testdir, request): """ In this test we are only checking if src_ip and dest_ip are extracted and are valid and tests are passing - Both these fields contains diff advanced form of ipv6 formats which would then be extracted via fields in data modles + scr_ip contains ~35 diff advanced form of ipv6 combinations that are tested in this case. """ testdir.makepyfile( """ From a3979f456266742680d929a028f0f57210dc3661 Mon Sep 17 00:00:00 2001 From: Harshil Gajera Date: Wed, 8 May 2024 18:12:45 +0530 Subject: [PATCH 7/8] ci: updating regex --- .../standard_lib/data_models/Intrusion_Detection.json | 4 ++-- .../standard_lib/data_models/Network_Resolution.json | 4 ++-- .../standard_lib/data_models/Network_Traffic.json | 10 +++++----- .../TA_cim_addon/default/pytest-splunk-addon-data.conf | 4 ++-- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/pytest_splunk_addon/standard_lib/data_models/Intrusion_Detection.json b/pytest_splunk_addon/standard_lib/data_models/Intrusion_Detection.json index 7d50d8b00..a0d121013 100644 --- a/pytest_splunk_addon/standard_lib/data_models/Intrusion_Detection.json +++ b/pytest_splunk_addon/standard_lib/data_models/Intrusion_Detection.json @@ -23,7 +23,7 @@ "name": "dest", "type": "conditional", "condition": "ids_type=\"network\"", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", + "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the attack detected by the intrusion detection system (IDS). You can alias this from more specific fields not included in this data model, such as dest_host, dest_ip, or dest_name." }, { @@ -76,7 +76,7 @@ "name": "src", "type": "conditional", "condition": "ids_type=\"network\"", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", + "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source involved in the attack detected by the IDS. You can alias this from more specific fields not included in this data model, such as src_host, src_ip, or src_name." }, { diff --git a/pytest_splunk_addon/standard_lib/data_models/Network_Resolution.json b/pytest_splunk_addon/standard_lib/data_models/Network_Resolution.json index 656b26a95..021079943 100644 --- a/pytest_splunk_addon/standard_lib/data_models/Network_Resolution.json +++ b/pytest_splunk_addon/standard_lib/data_models/Network_Resolution.json @@ -38,7 +38,7 @@ { "name": "dest", "type": "required", - "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", + "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the network resolution event. You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." }, { @@ -151,7 +151,7 @@ { "name": "src", "type": "required", - "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", + "validity": "case(in(upper(transport), \"TCP\", \"UDP\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source of the network resolution event. You can alias this from more specific fields, such as src_host, src_ip, or src_name." }, { diff --git a/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json b/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json index 18bbeaf53..16b62ce39 100644 --- a/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json +++ b/pytest_splunk_addon/standard_lib/data_models/Network_Traffic.json @@ -53,7 +53,7 @@ { "name": "dest", "type": "required", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", + "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(dest,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), dest, null()), match(dest,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), dest, true(), null())", "comment": "The destination of the network traffic (the remote host). You can alias this from more specific fields, such as dest_host, dest_ip, or dest_name." }, { @@ -65,7 +65,7 @@ "name": "dest_ip", "type": "conditional", "condition": "dest_ip=*", - "validity": "if(match(dest_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),dest_ip,null())", + "validity": "if(match(dest_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),dest_ip,null())", "comment": "The IP address of the destination." }, { @@ -168,7 +168,7 @@ { "name": "protocol", "type": "conditional", - "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\") or match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", + "condition": "| where match(src, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\") or match(dest, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\")", "expected_values": ["ip", "icmp"], "comment": "The OSI layer 3 (network) protocol of the traffic observed, in lower case. For example, ip, appletalk, ipx." }, @@ -198,7 +198,7 @@ { "name": "src", "type": "required", - "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", + "validity": "case(in(upper(transport), \"HOPOPT\", \"ICMP\", \"IGMP\", \"GGP\", \"IP-IN-IP\", \"ST\", \"TCP\", \"CBT\", \"EGP\", \"IGP\", \"BBN-RCC-MON\", \"NVP-II\", \"PUP\", \"ARGUS\", \"EMCON\", \"XNET\", \"CHAOS\", \"UDP\", \"MUX\", \"DCN-MEAS\", \"HMP\", \"PRM\", \"XNS-ID\", \"TRUNK-1\", \"TRUNK-2\", \"LEAF-1\", \"LEAF-2\", \"RDP\", \"IRTP\", \"ISO-TP4\", \"NETBLT\", \"MFE-NSP\", \"MERIT-INP\", \"DCCP\", \"3CP\", \"IDPR\", \"XTP\", \"DDP\", \"IDPR-CMTP\", \"TP++\", \"IL\", \"IPV6\", \"SDRP\", \"IPV6-ROUTE\", \"IPV6-FRAG\", \"IDRP\", \"RSVP\", \"GRES\", \"DSR\", \"BNA\", \"ESP\", \"AH\", \"I-NLSP\", \"SWIPE\", \"NARP\", \"MOBILE\", \"TLSP\", \"SKIP\", \"IPV6-ICMP\", \"IPC6-NONXT\", \"IPV6-OPTS\", \"CFTP\", \"SAT-EXPAK\", \"KRYPTOLAN\", \"RVD\", \"IPPC\", \"SAT-MON\", \"VISA\", \"IPCU\", \"CPNX\", \"CPHB\", \"WSN\", \"PVP\", \"BR-SAT-MON\", \"SUN-ND\", \"WB-MON\", \"WB-EXPAK\", \"ISO-IP\", \"VMTP\", \"SECURE-VMTP\", \"VINES\", \"TTP\", \"IPTM\", \"NSFNET-IGP\", \"DGP\", \"TCF\", \"EIGRP\", \"OSPF\", \"SPRITE-RPC\", \"LARP\", \"MTP\", \"AX.25\", \"OS\", \"MICP\", \"SCC-SP\", \"ETHERIP\", \"ENCAP\", \"GMTP\", \"IFMP\", \"PNNI\", \"PIM\", \"ARIS\", \"SCPS\", \"QNX\", \"A/N\", \"IPCOMP\", \"SNP\", \"COMPAQ-PEER\", \"IPX-IN-IP\", \"VRRP\", \"PGM\", \"L2TP\", \"DDX\", \"IATP\", \"STP\", \"SRP\", \"UTI\", \"SMP\", \"SM\", \"PTP\", \"IS-IS OVER IPV4\", \"FIRE\", \"CRTP\", \"CRUDP\", \"SSCOPMCE\", \"IPLT\", \"SPS\", \"PIPE\", \"SCTP\", \"FC\", \"RSVP-E2E-IGNORE\", \"MOBILITY HEADER\", \"UDPLITE\", \"MPLS-IN-IP\", \"MANET\", \"HIP\", \"SHIM6\", \"WESP\", \"ROHC\", \"ETHERNET\"), if(match(src,\"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"), src, null()), match(src,\"^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$\"), src, true(), null())", "comment": "The source of the network traffic (the client requesting the connection). You can alias this from more specific fields, such as src_host, src_ip, or src_name.'" }, { @@ -270,7 +270,7 @@ "name": "src_ip", "type": "conditional", "condition": "src_ip=*", - "validity": "if(match(src_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),src_ip,null())", + "validity": "if(match(src_ip, \"(?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.*[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\\.(?4)){3})\"),src_ip,null())", "comment": "The ip address of the source." }, { diff --git a/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf b/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf index 07be16fb8..e2b4c5f71 100644 --- a/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf +++ b/tests/e2e/addons/TA_cim_addon/default/pytest-splunk-addon-data.conf @@ -9,8 +9,8 @@ input_type = modinput host_type = plugin sourcetype_to_search = test:ipv6 timestamp_type = plugin -expected_event_count = 35 +expected_event_count = 34 token.0.token = ##ip_address## token.0.replacementType = all -token.0.replacement = list["1234::", "2001:db8::", "::1334", "::", "::1325", "2001:0db8::1:2:3456", "2001::1:2:3", "2001:db8::1:2", "::ffff:192.168.1.1", "::ffff:192.168.1.112", "::1", "2001:0db8::1:2:3", "ff02:0000:0000:0000:0000:0000:0000:0001", "fe80:0000:0000:0000:a299:9bff:fe18:50d1", "2001:0db8:1111:000a:00b0:0000:9000:0200", "2001:0db8:0000:0000:abcd:0000:0000:1234","2001:0db8:cafe:0001:0000:0000:0000:0100", "2001:0db8:cafe:0001:0000:0000:0000:0200", "1:2:3:4:5:6:7::", "fe80::a299:9bff:fe18:50d1", "::3212", "::1212", "2001::abcd::1234", "2001:db80:1000:a000:0000:bc00:abcd:d0b0","2001::abcd", "2001:0000:0000:0000:abcd:0000:0000:1234", "2001:0000:0000:abcd:0000:0000:0000:1234", "2001:0000:abcd:0000:0000:0000:0000:1234", "2001:db8:1111:a:b0:0:9000:200", "fe80:0:0:0:a299:9bff:fe18:50d1", "0:0:0:0:0:0:0:1", "0000:0000:0000:0000:0000:0000:0000:0001","0:0:0:0:0:0:ffff:192.168.10.10", "2001:0000:0000:0000:0000:abcd:0000:1", "::ffff:192.168.10.10"] \ No newline at end of file +token.0.replacement = list["1234::", "2001:db8::", "::1334", "::", "::1325", "2001:0db8::1:2:3456", "2001::1:2:3", "2001:db8::1:2", "::ffff:192.168.1.1", "::ffff:192.168.1.112", "::1", "2001:0db8::1:2:3", "ff02:0000:0000:0000:0000:0000:0000:0001", "fe80:0000:0000:0000:a299:9bff:fe18:50d1", "2001:0db8:1111:000a:00b0:0000:9000:0200", "2001:0db8:0000:0000:abcd:0000:0000:1234","2001:0db8:cafe:0001:0000:0000:0000:0100", "2001:0db8:cafe:0001:0000:0000:0000:0200", "1:2:3:4:5:6:7::", "fe80::a299:9bff:fe18:50d1", "::3212", "::1212", "2001:db80:1000:a000:0000:bc00:abcd:d0b0","2001::abcd", "2001:0000:0000:0000:abcd:0000:0000:1234", "2001:0000:0000:abcd:0000:0000:0000:1234", "2001:0000:abcd:0000:0000:0000:0000:1234", "2001:db8:1111:a:b0:0:9000:200", "fe80:0:0:0:a299:9bff:fe18:50d1", "0:0:0:0:0:0:0:1", "0000:0000:0000:0000:0000:0000:0000:0001","0:0:0:0:0:0:ffff:192.168.10.10", "2001:0000:0000:0000:0000:abcd:0000:1", "::ffff:192.168.10.10"] \ No newline at end of file From 92ed8aeac537ec31d5d85a0ca89f41d440f6d5f9 Mon Sep 17 00:00:00 2001 From: Harshil Gajera Date: Thu, 9 May 2024 11:36:43 +0530 Subject: [PATCH 8/8] ci: updating smaple addone --- tests/e2e/addons/TA_cim_addon/default/props.conf | 3 +-- tests/e2e/addons/TA_cim_addon/samples/test_sample | 2 +- tests/e2e/constants.py | 1 - 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/tests/e2e/addons/TA_cim_addon/default/props.conf b/tests/e2e/addons/TA_cim_addon/default/props.conf index 8d7e87dcf..61ea2fdb3 100644 --- a/tests/e2e/addons/TA_cim_addon/default/props.conf +++ b/tests/e2e/addons/TA_cim_addon/default/props.conf @@ -1,3 +1,2 @@ [test:ipv6] -FIELDALIAS-client_ipAddress_as_src_ip = client.ipAddress AS src_ip -FIELDALIAS-client_destadd_as_dest_ip = client.destadd AS dest_ip +FIELDALIAS-ipAddress_as_src_ip = ipAddress AS src_ip diff --git a/tests/e2e/addons/TA_cim_addon/samples/test_sample b/tests/e2e/addons/TA_cim_addon/samples/test_sample index 4205ff419..ee02375c6 100644 --- a/tests/e2e/addons/TA_cim_addon/samples/test_sample +++ b/tests/e2e/addons/TA_cim_addon/samples/test_sample @@ -1 +1 @@ -{"actor": {"id": "spr6w8a2l2V88E3nk5d7", "type": "SystemPrincipal", "alternateId": "system@okta.com", "displayName": "Okta System", "detailEntry": null}, "client": {"userAgent": {"rawUserAgent": "Splunk Add-on for Okta Identity Cloud", "os": "Unknown", "browser": "UNKNOWN"}, "zone": "null", "device": "Unknown", "id": null, "ipAddress": "##ip_address##", "destadd": "0:0:0:0:0:0:0:1", "geographicalContext": null}, "device": null, "authenticationContext": {"authenticationProvider": null, "credentialProvider": null, "credentialType": null, "issuer": null, "interface": null, "authenticationStep": 0, "externalSessionId": null}, "displayMessage": "Blocked request from IP: 68c6:7554::89", "eventType": "security.request.blocked", "outcome": {"result": "SUCCESS", "reason": "NETWORK_ZONE_BLACKLIST"}, "published": "2023-10-11T10:28:27.114Z", "securityContext": {"asNumber": null, "asOrg": null, "isp": null, "domain": null, "isProxy": null}, "severity": "WARN", "debugContext": {"debugData": {"requestId": "ZSZ4y03BLKYbIGjkjkgRvgAADhk", "requestUri": "/api/v1/logs", "url": "/api/v1/logs?limit=1000&since=2023-10-11T09%3A01%3A17.417Z&until=2023-10-11T10%3A27%3A56.967Z"}}, "legacyEventType": "security.zone.request.blocked", "transaction": {"type": "WEB", "id": "ZSZ4y03BLKYbIGjkjkgRvgAADhk", "detail": {}}, "uuid": "ea1dfcef-6820-11ee-bb11-f3c3bf8f14d1", "version": "0", "request": {"ipChain": [{"ip": "68c6:7554::89", "geographicalContext": null, "version": "V4", "source": null}]}, "target": null}]] \ No newline at end of file +{"ipAddress": "##ip_address##"} \ No newline at end of file diff --git a/tests/e2e/constants.py b/tests/e2e/constants.py index c97098fa4..ead3981cd 100644 --- a/tests/e2e/constants.py +++ b/tests/e2e/constants.py @@ -923,6 +923,5 @@ ] TA_CIM_MODEL_RESULT = [ - '*test_splunk_cim_model_ipv6_regex.py::Test_App::test_cim_required_fields[eventtype="test_ipv6"::All_Traffic::dest_ip* PASSED*', '*test_splunk_cim_model_ipv6_regex.py::Test_App::test_cim_required_fields[eventtype="test_ipv6"::All_Traffic::src_ip* PASSED*', ]