Getting Data In

inputs.conf - acceptFrom - Maximum number of blocked IP's?

NullZero
Path Finder

I'm working on system whereby Vulnerability Analysis (VA) scanners are polling various LAN segments, which is resulting in garbage data being ingested by indexers legitimately listening on 9997, as the VA scanners do their job and try to identify known vulnerabilities.

inputs.conf caters for this and allows a list of IP's to block followed by an accept all, and quoting the example:

* You can also prefix an entry with '!' to cause the rule to reject the
  connection. The input applies rules in order, and uses the first one that
  matches.
  For example, "!10.1/16, *" allows connections from everywhere except
  the 10.1.*.* network.

 

In the instance that I am working on there are ~40 individual /32 IP's before the * catch all permit in the format below (I have obfuscated the actual IP's for placeholders for the purpose of publishing here).

[default]

acceptFrom = "!10.1.x.x, !10.2.x.x, !10.3.x.x, *"

 

However this has not worked and all traffic is being dropped which can be seen via a simple UI search

index=_internal host=xxxxx log_level=WARN component=TcpInputProc

It reliably tells me data is rejected due to acceptFrom. This leads me to two possible solutions:

  • A: My syntax is incorrect and the " are not required, despite being shown in the example.
  • B: The excessive length of blocked IP's may be too long to be processed, but I have no way of knowing what the max length is?
  • C: Community answer...

My next steps beyond the community will be to try to recreate in a lab instance and experiment with altered syntax.

Labels (1)
0 Karma
1 Solution

NullZero
Path Finder

Solution:

We removed the inverted commas and everything works as it should, I submitted feedback to the docs page for inputs.conf.

- I still don't know the maximum block list size however.

View solution in original post

0 Karma

NullZero
Path Finder

Solution:

We removed the inverted commas and everything works as it should, I submitted feedback to the docs page for inputs.conf.

- I still don't know the maximum block list size however.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...