topic Re: How to exclude private ip address range from results? in Splunk Search

How to exclude private ip address range from results?

damode — Wed, 01 May 2019 06:42:27 GMT

How to modify the below query to exclude private ip address range from source IPs (src_ip) ?

index=cisco eventtype=cisco-firewall host="*" action="blocked" src_ip="*" dest_ip="*" src_port="*" dest_port="*" transport="*" service="*" | top src_ip

Re: How to exclude private ip address range from results?

harsmarvania57 — Wed, 01 May 2019 08:07:21 GMT

Hi @damode,

You can use CIDR block to exclude private IP ranges.

For IPv4 you can try below query, if your organization is using some other IP ranges in private network then you need to add those in your search as well.

index=cisco eventtype=cisco-firewall host="*" action="blocked" dest_ip="*" src_port="*" dest_port="*" transport="*" service="*" NOT (src_ip="10.0.0.0/8" OR src_ip="172.16.0.0/12" OR src_ip="192.168.0.0/16")

Re: How to exclude private ip address range from results?

damode — Mon, 06 May 2019 06:44:46 GMT

Thanks alot!

Re: How to exclude private ip address range from results?

msquicc — Fri, 31 Mar 2023 13:47:55 GMT

Since Heff mentioned it, in order to validate private/public IPv4, I made myself an eval-based macro with the following:

case(
cidrmatch("10.0.0.0/8",$IP$),"False",
cidrmatch("172.16.0.0/12",$IP$),"False",
cidrmatch("192.168.0.0/16",$IP$),"False",
isnull($IP$) OR like($IP$,""), "False",
match($IP$,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True")

Then, I can use it in any query like:

| eval Remote_Address_isExternal = `isExternalIPv4(Remote_Address)`

The last line tests for a valid IPv4 address. The best regex for validating IPV4 is an ever-evolving conversation on stack overflow. So, I used the latest from there, but from this highest rated answer, not the accepted one: https://stackoverflow.com/a/36760050/6376311