How to find events that have non RFC1918 addresses

wtaylor149 — Thu, 23 Sep 2021 20:13:21 GMT

Issue I'm facing:

My use case is to detect a successful ssh login from an external ip_address.

I have my linux logs in: index=linux_logs

These logs have a field called "hostname". "hostname" is sometimes a FQDN and sometimes it's an ip_address. I have an asset list (lookup file), assets.csv. Not all of the FQDN from the linux_logs are in this list.

Here is my initial query:

index=linux_logs sourcetype=syslog exe="/usr/sbin/sshd" res=success NOT hostname=?

| stats count, min(_time) as first_time, max(_time) as last_time, values(dest) as dest, values(hostname) as src by acct

| lookup assets.csv dns AS src OUTPUT ip

| fillnull value=no_ip ip

A sample of the results:

acct	count	first_time	last_time	dest	hostname	ip
user1	50	epoch_time_format	epoch_time_format	host1.mycompany.com	src1.mycompany.com	10.36.25.14
user2	40	epoch_time_format	epoch_time_format	host3.mycompany.com	src3.mycompany.com	no_ip

I want to eliminate the RFC1918 and keep the "no_ip" and ip's outside of the RFC1918 ranges. I do have a lookup for the rfc1918 ranges but I'm struggling with how to write the spl to check the "ip" field for what I need. Any help is greatly appreciated.

Re: How to find events that have non RFC1918 addresses

PickleRick — Fri, 24 Sep 2021 06:01:35 GMT

| where NOT cidrmatch("10.0.0.0/8,ip) AND NOT cidrmatch("192.168.0.0/16",ip) AND [...]

topic Re: How to find events that have non RFC1918 addresses in Splunk Search

How to find events that have non RFC1918 addresses

Re: How to find events that have non RFC1918 addresses