Re: Tracking known malicious IP ranges

jshultz · ‎03-15-2016

We are blocking a list of different known malicious IP ranges on our checkpoint firewalls. We do receive the syslog info from checkpoint just fine. How can I search for all of the different ranges and put them into a dashboard?

esix_splunk · ‎03-15-2016

You can also search for cidr blocks in lookups. One approach would be to keep that list of known malicious IP ranges in a CSV lookup (Could be a database and pull it with DBX..)

Configure cidr based lookups.. In transforms, you need to configure the cidr field..

 [badipranges]
 filename = badipranges.csv
 max_matches = 1
 min_matches = 1
 default_match = OK
 match_type = CIDR(badiprange)

Note that CIDR(badiprange) tells Splunk which field is in CIDR notation.

You can then run your lookups against this list.

richgalloway · ‎03-15-2016

Is the block list known to Splunk, either in a CSV file or SQL database?

---
If this reply helps you, Karma would be appreciated.

jshultz · ‎03-15-2016

It is not in a csv. I could find those ranges in a csv.

Tracking known malicious IP ranges

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...