topic Re: tstats search not filtering out local IP ranges in Splunk Search

Why are tstats search not filtering out local IP ranges?

dmbrcx — Wed, 15 Mar 2023 18:31:10 GMT

Hi,

I am using tstats to search the Network Datamodel for outbound SMB traffic (port 445) to external IP address ranges.

Why are local IP ranges still appearing in my search results?

Here is my syntax:

| tstats summariesonly=t fillnull_value="MISSING" count from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port="445" AND NOT All_Traffic.dest IN ("10.0.0.0/8","172.16.0.0/16","192.168.0.0/24") earliest=-15m latest=now by _time, All_Traffic.dest, All_Traffic.dest_port,All_Traffic.src, All_Traffic.src_port, All_Traffic.action, All_Traffic.bytes, index, sourcetype

Screenshot:

I believe I have filtered them correctly, but hmm...

Re: tstats search not filtering out local IP ranges

yuanliu — Wed, 15 Mar 2023 04:46:48 GMT

Two things. First, CIDR match doesn't go with the IN operator. You have to specify them individually, like

| tstats summariesonly=t fillnull_value="MISSING" count from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest_port="445" AND NOT (All_Traffic.dest="10.0.0.0/8" OR All_Traffic.dest="172.16.0.0/16" OR All_Traffic.dest="192.168.0.0/24") earliest=-15m latest=now by _time, All_Traffic.dest, All_Traffic.dest_port,All_Traffic.src, All_Traffic.src_port, All_Traffic.action, All_Traffic.bytes, index, sourcetype

Second, beware of Limitations of CIDR matching with tstats.

Re: tstats search not filtering out local IP ranges

dmbrcx — Wed, 15 Mar 2023 05:24:32 GMT

Thank you. Those limitations are interesting. I am surprised I have not noticed this issue before.