I have a DNS event (Event ID 257) where I want to extract the response data from the hex string in the "PacketData" field. I have obtained the last eight characters from the value, e.g. "0A180366", which represents the IP address 10.24.3.102.
0A (hex) is 10 (decimal)
18 (hex) is 24 (decimal)
03 (hex) is 3 (decimal)
66 (hex) is 102 (decimal)
Does anyone know how to do this within the parser? I would like to transform the hex value into an IP address or string.
Thanks in advance for your help!
Hi @smaxs ,
You can refer the below link to convert hexa to ip address.
https://cloud.google.com/chronicle/docs/reference/parser-syntax#base64_function
Hi @sudeep_singh ,
thx for the quick reply. I tried this before, but I got:
Failed to create filter from agent 10: filter factory failed for "hex": line 65, col 5: no filter implemented for "hex" label
#####Code#########
What would the exact function for hex be?
Hi @sudeep_singh ,
thx for the quick reply. I tried this before, but I got:
Failed to create filter from agent 10: filter factory failed for "hex": line 65, col 5: no filter implemented for "hex" label
#####Code#########
What would the exact function for hex be?
Is it possible to share the sample whole raw log with the Data Label you're ingesting?
Is it possible to share the sample whole raw log with the Data Label you're ingesting?
here is an example log, logs are ingested via bindplane (etw DNSServer logs):
{
"correlation": {},
"event_data": {
"AA": "0",
"AD": "0",
"AdditionalInfo": "VirtualizationInstance:.",
"BufferSize": "103",
"DNSSEC": "0",
"Destination": "10.24.3.100",
"ElapsedTime": "10",
"Flags": "33152",
"GUID": "{1CB404A8-2040-4920-81AB-C665980BA483}",
"InterfaceIP": "10.24.2.100",
"PacketData": "0xED39818000010002000000000B636C6F7564677A2D6563730B677261766974797A6F6E650B626974646566656E64657203636F6D0000010001C00C000500010000002600120B636C6F7564677A2D65637303676370C018C0450001000100000026000423CFAD4D",
"PolicyName": "NULL",
"Port": "51501",
"QNAME": "cloudgz-ecs.gravityzone.bitdefender.com.",
"QTYPE": "1",
"RCODE": "0",
"Scope": "Default",
"TCP": "0",
"XID": "60729",
"Zone": "..Cache"
},
"event_id": {
"id": "257"
},
"execution": {
"process_id": "1704",
"thread_id": "6060"
},
"keywords": "9223372036854775810",
"opcode": "",
"provider": {
"guid": "{EB79061A-A566-4698-9119-3ED2807060E7}",
"name": "Microsoft-Windows-DNSServer"
},
"security": {
"sid": "S-1-5-18"
},
"task": "LOOK_UP ",
"thread_id": "6060"
}
I would like to extract the ip information from the "PacketData":
"PacketData": "0xED39818000010002000000000B636C6F7564677A2D6563730B677261766974797A6F6E650B626974646566656E64657203636F6D0000010001C00C000500010000002600120B636C6F7564677A2D65637303676370C018C0450001000100000026000423CFAD4D"
0001: This is the TYPE, which is 1, representing an A record (IPv4 address).
0001: This is the CLASS, which is 1, representing IN (Internet).
00000026: This is the TTL (Time To Live), which is 38 seconds (0x26).
0004: This is the RDLENGTH (Resource Data Length), which is 4 bytes.
23CFAD4D: This is the RDATA for the A record, which is the IPv4 address.
23 = 35
CF = 207
AD = 173
4D = 77
So the IPv4 address is 35.207.173.77.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.