Solved: Blacklisting IPv4 Ranges on Inputs.conf WinNetMon

elaborateGecko · ‎03-20-2022

Hello,

Thank you for taking the time to consider my question. I'm currently working on a solution that would report all outbound IPv4 connections from Windows workstations, but in order to reduce the volume of these logs I'd like to blacklist (or in another sense whitelist) some of the normal (internal) sites that users will be visiting often, so as not to kill our entire license.

I have been closely reading the inputs.conf Splunk documentation where it's clear that this functionality is possible using regex, but for some reason mine isn't working.

I am using analytics markets' IP range regular expression builder to find the correct syntax, and testing it using the very well known and common tool regex101.

My inputs.conf (subtracting other configs out of scope of this topic) is as follows:

[WinNetMon://OutboundMon]
disabled=0
addressFamily=ipv4;ipv6
direction=outbound
index=winnetmon
sourcetype=WinEventLog
packetType=connect;accept
protocol=tcp;udp
blacklist1 = ^10\.(([1-9]?\d|[12]\d\d)\.){2}([1-9]?\d|[12]\d\d)$
blacklist2 = ^192\.168\.([1-9]|[1-9]\d|[12]\d\d)\.([1-9]?\d|[12]\d\d)$

Essentially, just as a test, I am just trying to see if I can eliminate traffic logs from all internal (private) IP ranges, in this case the test ranges being 10.0.0.0/8 and 192.168.0.0/16.

If I put these in regex101 and enter addresses within each of those ranges they are highlighted, but when I test internal connections and expect no logs to show up, sure enough they still populate for destination addresses within those ranges, so what gives?

Many thanks in advance

VatsalJagani · ‎03-20-2022

@elaborateGecko

inputs.conf spec doesn't say any parameter blacklist is present. So we have to use a different parameter called remoteAddress.

Here is the stanza you can use:

[WinNetMon://OutboundMon]
disabled=0
addressFamily=ipv4
direction=outbound
index=winnetmon
sourcetype=WinEventLog
packetType=connect;accept
protocol=tcp;udp
remoteAddress = ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!172\.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31))(?<!127)(?<!^10)(?<!^0)\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!192\.168)(?<!172\.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31))\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$

My understanding is that you want to capture all outbound traffic but only for public internal and not the internal traffic. (Reference where I copy my regex from, so you can confirm whether you need that or something else - https://stackoverflow.com/questions/33453057/regex-to-only-match-public-ipv4-address)

Hope this helps. Consider accepting the answer if it solves your problem.

View solution in original post

richgalloway · ‎03-20-2022

The blacklist[1-9] settings only apply to WinEventLog stanzas. As I read the inputs.conf.spec file, there are no allow/deny list settings for WinNetMon.

If blacklist1 did apply to WinNetMon then the setting would have to be in the format key=regex (which is not true of the example). The list of valid keys does not include an IP address.

---
If this reply helps you, Karma would be appreciated.

VatsalJagani · ‎03-20-2022

@elaborateGecko

inputs.conf spec doesn't say any parameter blacklist is present. So we have to use a different parameter called remoteAddress.

Here is the stanza you can use:

[WinNetMon://OutboundMon]
disabled=0
addressFamily=ipv4
direction=outbound
index=winnetmon
sourcetype=WinEventLog
packetType=connect;accept
protocol=tcp;udp
remoteAddress = ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!172\.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31))(?<!127)(?<!^10)(?<!^0)\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!192\.168)(?<!172\.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31))\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$

My understanding is that you want to capture all outbound traffic but only for public internal and not the internal traffic. (Reference where I copy my regex from, so you can confirm whether you need that or something else - https://stackoverflow.com/questions/33453057/regex-to-only-match-public-ipv4-address)

Hope this helps. Consider accepting the answer if it solves your problem.

elaborateGecko · ‎03-20-2022

@vats thank you very much for providing such a brilliant workaround. I have since accepted your answer as the solution, and my only other question is do you know of the potential performance impacts from filtering aggressively using regex?

If you have implemented the config you provided at a large scale than I imagine it has a small overhead, but I just want to know in advance if you've had any trouble with that.

Many thanks!

VatsalJagani · ‎03-21-2022

It will have small high performance impact depending on the network traffic and how much is internal and how much is external.

This will happen at input stage.

So each host will run regex for the current host. Host which has more networking usually has more resources to handle this. So shouldn't be a problem.

I would say you can start with this configuration and monitor the performance impact on the servers which has lot of network traffic.

Blacklisting IPv4 Ranges on Inputs.conf WinNetMon

other

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life