topic Re: How to match an IP address from a lookup table of cidr ranges? in Splunk Search

How to match an IP address from a lookup table of cidr ranges?

glenngermiathen — Thu, 03 Sep 2015 17:59:40 GMT

I'm trying to search records where the destination IP is in a lookup table consisting of a list of cidr ranges, but the source IP is not in one of those ranges. This was my initial thought on how to do it.

index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)  AND !cidrmatch([| inputlookup IP_Ranges], srcip)

The lookup table is just a list of cidr ranges like
10.0.1.0/24
10.0.5.0/24
10.0.100.0/24

Any suggestions are greatly appreciated.

Re: How to match an IP address from a lookup table of cidr ranges?

glenngermiathen — Thu, 03 Sep 2015 19:40:34 GMT

Or just how should I go about matching the IP address from the cidr ranges?

index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)

Re: How to match an IP address from a lookup table of cidr ranges?

lguinn2 — Thu, 03 Sep 2015 22:19:31 GMT

The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.

Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf

[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)

This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range.

index=* | fields srcip dstip 
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc

Now you have two new fields, src_match and dst_match which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".

Re: How to match an IP address from a lookup table of cidr ranges?

paulstark — Thu, 03 Dec 2015 22:16:51 GMT

nicely done

Re: How to match an IP address from a lookup table of cidr ranges?

aakwah — Mon, 08 Aug 2016 13:53:46 GMT

Thanks that hellped me a lot !

Re: How to match an IP address from a lookup table of cidr ranges?

mathiask — Tue, 16 Aug 2016 22:28:44 GMT

How about mixed IPv4 and IPv6 CIDR matches

ip_range,info
192.168.1.0/24,foo
2001::1/48,bar

Re: How to match an IP address from a lookup table of cidr ranges?

JensT — Thu, 02 Feb 2017 13:44:28 GMT

Hi Lisa,

great thing.
Can this be done without transforms.conf?
I.E. just upload the csv and then do the lookup inline?
(Our users are 'of course' not allowed to modify Splunk configs)

Rgds,
Jens

Re: How to match an IP address from a lookup table of cidr ranges?

jwalzerpitt — Thu, 24 Aug 2017 14:45:48 GMT

I'm trying to apply this query to a search of my Symantec logs and I'm having issues getting output to return the subnets that matched the src and dest IPs. My search is as follows:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found" | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name" | fields "Host IP"
| lookup ip_cidr cidr_range as "Host IP" OUTPUT cidr_range as ip_match

My lookup file has three other columns in addition to cidr_range. What I'd like to do is match the src or dest IP to the IP cidr and then pull the zone/firewall/context the user is associated with.

Would appreciate any help

Thx

Re: How to match an IP address from a lookup table of cidr ranges?

TonyLeeVT — Tue, 29 Sep 2020 23:58:13 GMT

A friend pointed this out, but this can be done without CLI access now. Perform the following:

1) Settings -> Lookups -> Lookup Definitions
2) Check the box for: "Advanced options"
3) Match type: CIDR([fieldname]) <-- fieldname is the field with the CIDR addresses in it

Then in your search:
... | lookup [fieldname] as src_ip OUTPUT site as src_site

Re: How to match an IP address from a lookup table of cidr ranges?

ankurpwc — Sun, 26 May 2019 09:55:10 GMT

This was very helpful, thanks

Re: How to match an IP address from a lookup table of cidr ranges?

niddhi — Thu, 30 May 2019 21:01:39 GMT

HI,

I did exactly the same steps, but i am only getting NONE (default) for all the entries. I have checked and matches do exists on the csv file. Any pointers on why ip is not getting matched to CIDR and how can it be resolved?

Re: How to match an IP address from a lookup table of cidr ranges?

ohbuckeyeio — Wed, 06 Nov 2019 18:14:56 GMT

Late to the show here, but I had the same issue. Found I had spaces at the end of my cidr_range values. If you copy/paste, make sure there are no leading/trailing spaces.