search

splunk / pytest-splunk-addon

A Dynamic test tool for Splunk Technology Add-ons
https://splunk.github.io/pytest-splunk-addon/
Apache License 2.0
57 stars 20 forks source link

fix: updating ipv6-v4 regex in data models #831

Closed harshilgajera-crest closed 4 months ago

harshilgajera-crest commented 4 months ago

Current regex for data models support only basic ipv6 regex.

Support for advanced representation of ipv6 is required, hence this pr supports that.

ref: ipv6 represenation - https://en.wikipedia.org/wiki/IPv6#Address_representation

Tested it with gcp addon which as combination of ipv4 and v6 samples in host fields, also tested it on https://github.com/splunk/splunk-add-on-for-okta-identity-cloud/pull/261 where advanced ipv6 represenation is present

Added e2e test which tests extraction of some ipv6 formats using src_ip and dest_ip fields in network_traffic data model

Tested regex with below samples: Regex : (?:(?:::ffff:)|(?:[0-9a-fA-F]{1,4}:){6}ffff:)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?>([a-f0-9]{1,4})(?>:(?1)){7}|(?!(?:.[a-f0-9](?>:|$)){8,})^((?1)(?>:(?1)){0,6})?::(?2)?(?!(?:.[a-f0-9](?>:|$))))|(?>(?>(?1)(?>:(?1)){5}:|(?!(?:.*[a-f0-9]:){6,})(?3)?::(?>((?1)(?>:(?1)){0,4}):)?)?(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(?>\.(?4)){3})

1234:: 2001:db8:: ::1334 :: ::1325 2001:0db8::1:2:3456 2001::1:2:3 2001:db8::1:2 ::ffff:192.168.1.1 :: ::ffff:192.168.1.112 ::1 2001:0db8::1:2:3 0000:0000:0000:0000:0000:0000:0000:0001 ff02:0000:0000:0000:0000:0000:0000:0001 fe80:0000:0000:0000:a299:9bff:fe18:50d1 2001:0db8:1111:000a:00b0:0000:9000:0200 2001:0db8:0000:0000:abcd:0000:0000:1234 2001:0db8:cafe:0001:0000:0000:0000:0100 2001:0db8:cafe:0001:0000:0000:0000:0200 2001:db80:1000:a000:0000:bc00:abcd:d0b0 1:2:3:4:5:6:7:: fe80::a299:9bff:fe18:50d1 ::3212 ::1212 2001::abcd::1234 2001:db80:1000:a000:0000:bc00:abcd:d0b0 2001::abcd 2001:0000:0000:0000:abcd:0000:0000:1234 2001:0000:0000:abcd:0000:0000:0000:1234 2001:0000:abcd:0000:0000:0000:0000:1234 2001:db8:1111:a:b0:0:9000:200 fe80:0:0:0:a299:9bff:fe18:50d1 0:0:0:0:0:0:0:1 0000:0000:0000:0000:0000:0000:0000:0001 0:0:0:0:0:0:ffff:192.168.10.10 2001:0000:0000:0000:0000:abcd:0000:1 ::ffff:192.168.10.10 2001:0db8::1:2:3

harshilgajera-crest commented 4 months ago

Can we have more IPv6-related tests in sample_requirement.xml file? You mention in the description of this PR that you tested a bunch of different combinations - did you test them manually? Can we bring them into PSA's pipeline?

So I tested them on regex101 with all the sample, I have provided the regex and ipv6 samples in description

Screenshot 2024-05-07 at 4 22 04 PM
harshilgajera-crest commented 4 months ago

Can we have more IPv6-related tests in sample_requirement.xml file? You mention in the description of this PR that you tested a bunch of different combinations - did you test them manually? Can we bring them into PSA's pipeline?

Let me see if I can somehow tokenize the events because otherwise it would not be possible we would have to copy paste events 30-40 times.

srv-rr-github-token commented 3 months ago

:tada: This PR is included in version 5.2.6 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket: