Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Exclude IP range based on dynamic file list on the web

pir8radio
Path Finder
‎04-12-2020 01:11 PM

Question, the list returned in the link posted below updates now and then. I would like a way to filter my firewall results with a dropdown to "filter cloudflare IP's" using field3. anyway i just need an example on how I could use this dynamic list link below in my search to filter out those IP ranges? any easy way? I dont want to download the file and massage it, i would rather pull it live from their server, either on a schedule or whatever, then write a search to reference that list. otherwise i have to NOT, NOT, NOT and update my search whenever the new list comes out.

Link to dynamic IP Range list:
https://www.cloudflare.com/ips-v4

Current search:
sourcetype=Firewall Dst_Port!="-" Action=ALLOW Path=RECEIVE Src_IP=$field3$ Src_IP!="127.0.0.1" Src_IP!="::1" NOT (Src_IP="10.0.0.0/8" OR Src_IP="172.16.0.0/12" OR Src_IP="192.168.0.0/16")
| stats count by Src_IP Dst_Port Protocol Action
| sort -count
| rename Src_IP as "Source IP" Dst_Port as "Destination Port"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-12-2020 01:34 PM 
sourcetype=Firewall Dst_Port!="-" Action=ALLOW Path=RECEIVE [|inputlookup ips_v4.csv |rename _raw as Src_IP | format] Src_IP!="127.0.0.1" Src_IP!="::1" NOT (Src_IP="10.0.0.0/8" OR Src_IP="172.16.0.0/12" OR Src_IP="192.168.0.0/16")
| stats count by Src_IP Dst_Port Protocol Action
| sort -count
| rename Src_IP as "Source IP" Dst_Port as "Destination Port"

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-12-2020 01:34 PM 
sourcetype=Firewall Dst_Port!="-" Action=ALLOW Path=RECEIVE [|inputlookup ips_v4.csv |rename _raw as Src_IP | format] Src_IP!="127.0.0.1" Src_IP!="::1" NOT (Src_IP="10.0.0.0/8" OR Src_IP="172.16.0.0/12" OR Src_IP="192.168.0.0/16")
| stats count by Src_IP Dst_Port Protocol Action
| sort -count
| rename Src_IP as "Source IP" Dst_Port as "Destination Port"
Reply
Solved! Jump to solution

pir8radio
Path Finder
‎04-12-2020 01:38 PM

see I thought of that but didn't try it, I didn't think the format would have worked. I'll give it a go, thanks.

0 Karma
Reply
Solved! Jump to solution

pir8radio
Path Finder
‎04-12-2020 01:40 PM

but how do I add a web link as the lookup without manually downloading/uploading the file? I want this to happen automatically.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-12-2020 01:46 PM

you should make add_on or script.

0 Karma
Reply
Solved! Jump to solution

pir8radio
Path Finder
‎04-12-2020 01:48 PM

ok thats what i thought... Thanks, ill just grab the results in a powershell script and write to a file on schedule. Thanks.

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-12-2020 01:53 PM

If you make apps, mkdir lookups and put on your Csv.

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...