+1
I have a DNS event (Event ID 257) where I want to extract the response data from the hex string in the "PacketData" field. I have obtained the last eight characters from the value, e.g. "0A180366", which represents the IP address 10.24.3.102.
0A (hex) is 10 (decimal)
18 (hex) is 24 (decimal)
03 (hex) is 3 (decimal)
66 (hex) is 102 (decimal)
Does anyone know how to do this within the parser? I would like to transform the hex value into an IP address or string.
Thanks in advance for your help!
+6Hi @smaxs ,
You can refer the below link to convert hexa to ip address.
https://cloud.google.com/chronicle/docs/reference/parser-syntax#base64_function
+1Hi @sudeep_singh ,
thx for the quick reply. I tried this before, but I got:
Failed to create filter from agent 10: filter factory failed for "hex": line 65, col 5: no filter implemented for "hex" label
#####Code#########
What would the exact function for hex be?
+6Hi @sudeep_singh ,
thx for the quick reply. I tried this before, but I got:
Failed to create filter from agent 10: filter factory failed for "hex": line 65, col 5: no filter implemented for "hex" label
#####Code#########
What would the exact function for hex be?
Is it possible to share the sample whole raw log with the Data Label you're ingesting?
+1Is it possible to share the sample whole raw log with the Data Label you're ingesting?
here is an example log, logs are ingested via bindplane (etw DNSServer logs):
{
"correlation": {},
"event_data": {
"AA": "0",
"AD": "0",
"AdditionalInfo": "VirtualizationInstance:.",
"BufferSize": "103",
"DNSSEC": "0",
"Destination": "10.24.3.100",
"ElapsedTime": "10",
"Flags": "33152",
"GUID": "{1CB404A8-2040-4920-81AB-C665980BA483}",
"InterfaceIP": "10.24.2.100",
"PacketData": "0xED39818000010002000000000B636C6F7564677A2D6563730B677261766974797A6F6E650B626974646566656E64657203636F6D0000010001C00C000500010000002600120B636C6F7564677A2D65637303676370C018C0450001000100000026000423CFAD4D",
"PolicyName": "NULL",
"Port": "51501",
"QNAME": "cloudgz-ecs.gravityzone.bitdefender.com.",
"QTYPE": "1",
"RCODE": "0",
"Scope": "Default",
"TCP": "0",
"XID": "60729",
"Zone": "..Cache"
},
"event_id": {
"id": "257"
},
"execution": {
"process_id": "1704",
"thread_id": "6060"
},
"keywords": "9223372036854775810",
"opcode": "",
"provider": {
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"name": "Microsoft-Windows-DNSServer"
},
"security": {
"sid": "S-1-5-18"
},
"task": "LOOK_UP ",
"thread_id": "6060"
}
I would like to extract the ip information from the "PacketData":
"PacketData": "0xED39818000010002000000000B636C6F7564677A2D6563730B677261766974797A6F6E650B626974646566656E64657203636F6D0000010001C00C000500010000002600120B636C6F7564677A2D65637303676370C018C0450001000100000026000423CFAD4D"
0001: This is the TYPE, which is 1, representing an A record (IPv4 address).
0001: This is the CLASS, which is 1, representing IN (Internet).
00000026: This is the TTL (Time To Live), which is 38 seconds (0x26).
0004: This is the RDLENGTH (Resource Data Length), which is 4 bytes.
23CFAD4D: This is the RDATA for the A record, which is the IPv4 address.
23 = 35
CF = 207
AD = 173
4D = 77
So the IPv4 address is 35.207.173.77.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.