Skip to content

[Infoblox NIOS] Handle the parsing of IPv6 address#13947

Merged
efd6 merged 4 commits intoelastic:mainfrom
moxarth-rathod:infoblox-nios-13782
May 23, 2025
Merged

[Infoblox NIOS] Handle the parsing of IPv6 address#13947
efd6 merged 4 commits intoelastic:mainfrom
moxarth-rathod:infoblox-nios-13782

Conversation

@moxarth-rathod
Copy link
Contributor

@moxarth-rathod moxarth-rathod commented May 20, 2025
edited by efd6
Loading

Proposed commit message

infoblox_nios: handle the parsing of ipv6 address

The convert processor failed to parse IPv6 addresses with octal
encoding. So a script processor has been added to parse the
octal-encoded IPv6 address before applying the convert processor.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install elastic package locally.
  • Start elastic stack using elastic-package.
  • Move to integrations/packages/infoblox_nios directory.
  • Run the following command to run tests.

elastic-package test

Related issues

@moxarth-rathod moxarth-rathod self-assigned this May 20, 2025
@moxarth-rathod moxarth-rathod requested a review from a team as a code owner May 20, 2025 11:01
@moxarth-rathod moxarth-rathod added Integration:infoblox_nios Infoblox NIOS bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels May 20, 2025
@elasticmachine
Copy link

elasticmachine commented May 20, 2025

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 20, 2025

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

efd6
efd6 reviewed May 20, 2025
View reviewed changes
packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml Outdated
Comment on lines +123 to +129
if (ip.charAt(i) == (char)92) {
output.append(':');
i += 4;
} else {
output.append(ip.charAt(i));
i++;
}
Copy link
Contributor

@efd6 efd6 May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is correct (though it does reflect what I wrote — sorry); it only handles the case that the octal encoding is directly encoding the colon (0o072), but this is not the case in the failing sample that was provided in the issue, 2001\063210\063210\0653\061\07123.

If that encoding is included in the tests, we get an IP of 2001:210:210:3::23, but I think we should be getting something that reflects the values that are octal encoded, which we don't. However, if I try to do that (https://go.dev/play/p/QwfsMKbHiY5), it fails because the last octal encoding specifies a 9, which leaves us with invalid IPv6 syntax (if I replace the \071 with \072 it is correct).

I think we should take this back to the issue and clarify the situation.

packages/infoblox_nios/data_stream/log/elasticsearch/ingest_pipeline/pipeline_audit.yml Outdated
StringBuilder output = new StringBuilder();
int i = 0;
while (i < ip.length()) {
if (ip.charAt(i) == (char)92) {
Copy link
Contributor

@efd6 efd6 May 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
if (ip.charAt(i) == (char)92) {
if (ip.charAt(i) == (char)'\\') {

moxarth-rathod and others added 2 commits May 22, 2025 16:09
@moxarth-rathod
Fix the painless script to decode IP address
fbc4cf4
@moxarth-rathod @efd6
Add PR link in the changelog
e759f45 
Co-authored-by: Dan Kortschak <dan.kortschak@elastic.co>
@moxarth-rathod moxarth-rathod requested a review from efd6 May 23, 2025 05:24
@elastic-sonarqube
Copy link

elastic-sonarqube bot commented May 23, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@elasticmachine
Copy link

elasticmachine commented May 23, 2025

💚 Build Succeeded

History

cc @moxarth-rathod

efd6
efd6 approved these changes May 23, 2025
View reviewed changes
Copy link
Contributor

@efd6 efd6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks

@efd6 efd6 merged commit 5eebb94 into elastic:main May 23, 2025
8 checks passed
@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented May 23, 2025

Package infoblox_nios - 1.29.1 containing this change is available at https://epr.elastic.co/package/infoblox_nios/1.29.1/

v1v added a commit to v1v/integrations that referenced this pull request May 26, 2025
@v1v
Merge branch 'main' into feature/use-google-secrets
52daeaf 
* main: (42 commits)
  [jamf_pro] Fix `flattened` field types for non-object values (elastic#13985)
  [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (elastic#13977)
  zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (elastic#13904)
  apm: Add config for tail-based sampling discard on write (elastic#13950)
  [CI] Add dev/coverage into backport script (elastic#13987)
  Update configuration updatecli for 8.x snapshot (elastic#13981)
  [Prometheus] Add username, password, and SSL related fields for query dataset (elastic#13969)
  o365: Ignore failures in rename processors for organization fields (elastic#13983)
  aws.firewall: Document ingested log types of AWS Network Firewall (elastic#13978)
  mimecast: resolve field data type conflicts between data streams (elastic#13825)
  [Infoblox NIOS] Handle the parsing of IPv6 address (elastic#13947)
  [Cribl] Fix handling of metric event type (elastic#13930)
  zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (elastic#13755)
  Adding agentless deployment to the sublime security integration (elastic#13963)
  [integration/system] add use_performance_counters in system integration (elastic#13150)
  crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (elastic#13955)
  [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (elastic#13959)
  github: squelch errors from pagination ends (elastic#13965)
  cisco_secure_endpoint: squelch errors from pagination ends (elastic#13964)
  [Cloud Security] Cloud Asset Inventory:  fixed cloud formation URL (elastic#13971)
  ...
v1v added a commit that referenced this pull request May 26, 2025
@v1v
Merge branch 'feature/use-google-secrets' into test/use-google-secrets
81b8efa 
* feature/use-google-secrets: (43 commits)
  use -ci account
  [jamf_pro] Fix `flattened` field types for non-object values (#13985)
  [Netskope Alerts] Add text multi-field to netskope.alerts.breach.description field (#13977)
  zscaler_zia: add strict field template mode for tcp and http_endpoint input data streams (#13904)
  apm: Add config for tail-based sampling discard on write (#13950)
  [CI] Add dev/coverage into backport script (#13987)
  Update configuration updatecli for 8.x snapshot (#13981)
  [Prometheus] Add username, password, and SSL related fields for query dataset (#13969)
  o365: Ignore failures in rename processors for organization fields (#13983)
  aws.firewall: Document ingested log types of AWS Network Firewall (#13978)
  mimecast: resolve field data type conflicts between data streams (#13825)
  [Infoblox NIOS] Handle the parsing of IPv6 address (#13947)
  [Cribl] Fix handling of metric event type (#13930)
  zscaler_zpa: fix handling of multiple remote IPs, and event categorisation (#13755)
  Adding agentless deployment to the sublime security integration (#13963)
  [integration/system] add use_performance_counters in system integration (#13150)
  crowdstrike,m365_defender,microsoft_defender_{cloud,endpoint},sentinel_one: normalise severity handling (#13955)
  [forgerock] Map `forgerock.response.elapsedTime` as a long not a date (#13959)
  github: squelch errors from pagination ends (#13965)
  cisco_secure_endpoint: squelch errors from pagination ends (#13964)
  ...
anupratharamachandran pushed a commit to anupratharamachandran/integrations that referenced this pull request Jun 2, 2025
@moxarth-rathod @anupratharamachandran
[Infoblox NIOS] Handle the parsing of IPv6 address (elastic#13947)
8c2f4ed 
The convert processor failed to parse IPv6 addresses with octal
encoding. So a script processor has been added to parse the
octal-encoded IPv6 address before applying the convert processor.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 approved these changes

Assignees

@moxarth-rathod moxarth-rathod

Labels

bugfix Pull request that fixes a bug issue Integration:infoblox_nios Infoblox NIOS Team:SDE-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations]

Projects

None yet

Milestone

No milestone

3 participants

@moxarth-rathod @elasticmachine @efd6