Solved: InfoSec App External IPs including 1918 Addresses

moogmusic · ‎08-07-2020

I've just been reviewing the Firewalls dashboard in the Continuous Monitoring section of the InfoSec app - the search that powers the External Source and Destination IP counts is this:

| tstats summariesonly=true allow_old_summaries=true dc(All_Traffic.src_ip) from datamodel=Network_Traffic where All_Traffic.src_ip!=10.0.0.0/8 All_Traffic.src_ip!=192.168.0.0/16 All_Traffic.src_ip!=172.16.0.0/12

If change dc(All_Traffic.src_ip) to values(All_Traffic.src_ip), the list of IPs generated includes all our 10.0.0.0/8 addresses - I've seen this problem with other tstats network searches I've tried to run and thought I wasn't formatting the search properly but there's clearly an issue with the All_Traffic.src_ip!=10.0.0.0/8 filter

Anyone else seen this/got a solution?

Thanks

moogmusic · ‎08-18-2020

Turns out this is not implemented until 7.3 and we're running 7.2.9.

View solution in original post

moogmusic · ‎08-18-2020

Turns out this is not implemented until 7.3 and we're running 7.2.9.

InfoSec App External IPs including 1918 Addresses

dashboard

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation