Merge pull request #1373 from SEKOIA-IO/fix/infoblox_ddi_format

Fix: Infoblox DDI format improvement
SEKOIA-IO · Dec 11, 2024 · 0691629 · 0691629
2 parents 838ce6c + 7964add
commit 0691629
Show file tree

Hide file tree

Showing 20 changed files with 1,007 additions and 9 deletions.
diff --git a/Infoblox/ddi/_meta/fields.yml b/Infoblox/ddi/_meta/fields.yml
@@ -2,3 +2,28 @@ infoblox.ddi.category:
   description: The logging category of this event.
   name: infoblox.ddi.category
   type: keyword
+
+infoblox.dhcp.circuit_id:
+  description: The circuit ID.
+  name: infoblox.dhcp.circuit_id
+  type: keyword
+
+infoblox.dhcp.interface_ip:
+  description: The IP address of the interface.
+  name: infoblox.dhcp.interface_ip
+  type: ip
+
+infoblox.dhcp.lease_time:
+  description: The lease time.
+  name: infoblox.dhcp.lease_time
+  type: keyword
+
+infoblox.dhcp.router_ip:
+  description: The IP address of the router.
+  name: infoblox.dhcp.router_ip
+  type: ip
+
+infoblox.dhcp.trans_id:
+  description: The transaction ID.
+  name: infoblox.dhcp.trans_id
+  type: keyword
diff --git a/Infoblox/ddi/_meta/smart-descriptions.json b/Infoblox/ddi/_meta/smart-descriptions.json
@@ -16,5 +16,32 @@
         "type": "request resolution of"
       }
     ]
+  },
+  {
+    "value": "{source.ip} perform {event.action}",
+    "conditions": [
+      {
+        "field": "source.ip"
+      },
+      {
+        "field": "event.action"
+      }
+    ]
+  },
+  {
+    "value": "Query from {source.ip}",
+    "conditions": [
+      {
+        "field": "source.ip"
+      }
+    ]
+  },
+  {
+    "value": "Query to {destination.ip}",
+    "conditions": [
+      {
+        "field": "destination.ip"
+      }
+    ]
   }
 ]
diff --git a/Infoblox/ddi/ingest/parser.yml b/Infoblox/ddi/ingest/parser.yml
diff --git a/Infoblox/ddi/tests/query_log_dhcp_1.json b/Infoblox/ddi/tests/query_log_dhcp_1.json
@@ -0,0 +1,31 @@
+{
+  "input": {
+    "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)"
+  },
+  "expected": {
+    "message": "Option 82: received a REQUEST DHCP packet from relay-agent eth2 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.222 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)",
+    "event": {
+      "action": "REQUEST DHCP",
+      "reason": "lease time is undefined seconds. (NEW)"
+    },
+    "dns": {
+      "header_flags": [],
+      "type": "query"
+    },
+    "infoblox": {
+      "dhcp": {
+        "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0"
+      }
+    },
+    "related": {
+      "ip": [
+        "192.168.1.222"
+      ]
+    },
+    "source": {
+      "address": "192.168.1.222",
+      "ip": "192.168.1.222",
+      "mac": "00:50:56:ae:b3:44"
+    }
+  }
+}
diff --git a/Infoblox/ddi/tests/query_log_dhcp_2.json b/Infoblox/ddi/tests/query_log_dhcp_2.json
@@ -0,0 +1,31 @@
+{
+  "input": {
+    "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)"
+  },
+  "expected": {
+    "message": "Option 82: received a REQUEST DHCP packet from relay-agent 192.168.1.53 with a circuit-id of \"1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0\", a remote-id of \"0a:44:70:46\" for 192.168.1.53 (00:50:56:ae:b3:44) lease time is undefined seconds. (NEW)",
+    "event": {
+      "action": "REQUEST DHCP",
+      "reason": "lease time is undefined seconds. (NEW)"
+    },
+    "dns": {
+      "header_flags": [],
+      "type": "query"
+    },
+    "infoblox": {
+      "dhcp": {
+        "circuit_id": "1a:02:30:00:00:00:00:76:00:00:00:00:00:00:2a:f0"
+      }
+    },
+    "related": {
+      "ip": [
+        "192.168.1.53"
+      ]
+    },
+    "source": {
+      "address": "192.168.1.53",
+      "ip": "192.168.1.53",
+      "mac": "00:50:56:ae:b3:44"
+    }
+  }
+}
diff --git a/Infoblox/ddi/tests/query_log_dhcp_3.json b/Infoblox/ddi/tests/query_log_dhcp_3.json
@@ -0,0 +1,31 @@
+{
+  "input": {
+    "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6"
+  },
+  "expected": {
+    "message": "DHCPREQUEST for 192.168.1.107 from e8:c8:29:5c:c8:99 via 192.168.1.107 TransID 80b994d6",
+    "event": {
+      "action": "DHCPREQUEST"
+    },
+    "dns": {
+      "header_flags": [],
+      "type": "query"
+    },
+    "infoblox": {
+      "dhcp": {
+        "interface_ip": "192.168.1.107",
+        "trans_id": "80b994d6"
+      }
+    },
+    "related": {
+      "ip": [
+        "192.168.1.107"
+      ]
+    },
+    "source": {
+      "address": "192.168.1.107",
+      "ip": "192.168.1.107",
+      "mac": "e8:c8:29:5c:c8:99"
+    }
+  }
+}
diff --git a/Infoblox/ddi/tests/query_log_dhcp_4.json b/Infoblox/ddi/tests/query_log_dhcp_4.json
@@ -0,0 +1,38 @@
+{
+  "input": {
+    "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)"
+  },
+  "expected": {
+    "message": "DHCPREQUEST for 192.168.1.208 from 00:50:56:ae:17:c6 (VDPSCE080019) via eth2 TransID 823c1fa3 uid 01:00:50:56:ae:17:c6 (RENEW)",
+    "event": {
+      "action": "DHCPREQUEST",
+      "reason": "RENEW"
+    },
+    "dns": {
+      "header_flags": [],
+      "type": "query"
+    },
+    "infoblox": {
+      "dhcp": {
+        "trans_id": "823c1fa3"
+      }
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "eth2"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "192.168.1.208"
+      ]
+    },
+    "source": {
+      "address": "192.168.1.208",
+      "ip": "192.168.1.208",
+      "mac": "00:50:56:ae:17:c6"
+    }
+  }
+}
diff --git a/Infoblox/ddi/tests/query_log_dhcp_5.json b/Infoblox/ddi/tests/query_log_dhcp_5.json
@@ -0,0 +1,33 @@
+{
+  "input": {
+    "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable."
+  },
+  "expected": {
+    "message": "DHCPREQUEST for 192.168.1.95 (192.168.1.95) from d8:94:03:ec:da:d1 via 192.168.1.95 TransID ac1b72c4: lease 192.168.1.95 unavailable.",
+    "event": {
+      "action": "DHCPREQUEST",
+      "reason": "lease 192.168.1.95 unavailable."
+    },
+    "dns": {
+      "header_flags": [],
+      "type": "query"
+    },
+    "infoblox": {
+      "dhcp": {
+        "interface_ip": "192.168.1.95",
+        "router_ip": "192.168.1.95",
+        "trans_id": "ac1b72c4"
+      }
+    },
+    "related": {
+      "ip": [
+        "192.168.1.95"
+      ]
+    },
+    "source": {
+      "address": "192.168.1.95",
+      "ip": "192.168.1.95",
+      "mac": "d8:94:03:ec:da:d1"
+    }
+  }
+}
diff --git a/Infoblox/ddi/tests/query_log_dhcp_6.json b/Infoblox/ddi/tests/query_log_dhcp_6.json
@@ -0,0 +1,32 @@
+{
+  "input": {
+    "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet)."
+  },
+  "expected": {
+    "message": "DHCPREQUEST for 192.168.1.159 from c8:09:a8:f8:cd:e8 via 192.168.1.159 TransID e711c0c1: ignored (unknown subnet).",
+    "event": {
+      "action": "DHCPREQUEST",
+      "reason": "ignored (unknown subnet)."
+    },
+    "dns": {
+      "header_flags": [],
+      "type": "query"
+    },
+    "infoblox": {
+      "dhcp": {
+        "interface_ip": "192.168.1.159",
+        "trans_id": "e711c0c1"
+      }
+    },
+    "related": {
+      "ip": [
+        "192.168.1.159"
+      ]
+    },
+    "source": {
+      "address": "192.168.1.159",
+      "ip": "192.168.1.159",
+      "mac": "c8:09:a8:f8:cd:e8"
+    }
+  }
+}
diff --git a/Infoblox/ddi/tests/query_log_dhcp_7.json b/Infoblox/ddi/tests/query_log_dhcp_7.json
@@ -0,0 +1,32 @@
+{
+  "input": {
+    "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800"
+  },
+  "expected": {
+    "message": "DHCPACK on 192.168.1.138 to 08:71:90:8d:0b:5d (P70955) via eth2 relay 192.168.1.138 lease-duration 172800",
+    "event": {
+      "action": "DHCPACK"
+    },
+    "dns": {
+      "header_flags": [],
+      "type": "query"
+    },
+    "observer": {
+      "ingress": {
+        "interface": {
+          "name": "eth2"
+        }
+      }
+    },
+    "related": {
+      "ip": [
+        "192.168.1.138"
+      ]
+    },
+    "source": {
+      "address": "192.168.1.138",
+      "ip": "192.168.1.138",
+      "mac": "08:71:90:8d:0b:5d"
+    }
+  }
+}
diff --git a/Infoblox/ddi/tests/query_log_dhcp_8.json b/Infoblox/ddi/tests/query_log_dhcp_8.json
@@ -0,0 +1,27 @@
+{
+  "input": {
+    "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$"
+  },
+  "expected": {
+    "message": "r-l-e:192.168.1.113,Fixed,P76984,c4:d0:e3:b4:08:4d,1732119022,1732291822,,$",
+    "dns": {
+      "header_flags": [],
+      "type": "query"
+    },
+    "infoblox": {
+      "ddi": {
+        "category": "Fixed"
+      }
+    },
+    "related": {
+      "ip": [
+        "192.168.1.113"
+      ]
+    },
+    "source": {
+      "address": "192.168.1.113",
+      "ip": "192.168.1.113",
+      "mac": "c4:d0:e3:b4:08:4d"
+    }
+  }
+}
diff --git a/Infoblox/ddi/tests/query_log_dns_1.json b/Infoblox/ddi/tests/query_log_dns_1.json
@@ -0,0 +1,36 @@
+{
+  "input": {
+    "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53"
+  },
+  "expected": {
+    "message": "FORMERR resolving 'test.testing.io/AAAA/IN': 192.168.1.136#53",
+    "event": {
+      "action": "FORMERR"
+    },
+    "destination": {
+      "address": "192.168.1.136",
+      "ip": "192.168.1.136",
+      "port": 53
+    },
+    "dns": {
+      "header_flags": [],
+      "question": {
+        "class": "IN",
+        "name": "test.testing.io",
+        "registered_domain": "testing.io",
+        "subdomain": "test",
+        "top_level_domain": "io",
+        "type": "AAAA"
+      },
+      "type": "query"
+    },
+    "related": {
+      "hosts": [
+        "test.testing.io"
+      ],
+      "ip": [
+        "192.168.1.136"
+      ]
+    }
+  }
+}