Splunk Enterprise Security

Splunk Enterprise Security: How can I do a cidrmatch against a data model field?

klawman
Explorer

I'm working with Splunk Enterprise Security and I'm trying to build/refine correlations against the Network Traffic Data Model.

I want to exclude destination addresses in RFC1918 space. When working with the Data Model, how do you express the equivalent of

 NOT cidrmatch ("172.16.0.0/20", All_Traffic.dest)

Every combination I try gives me the error

Error in 'TsidxStats': WHERE clause is not an exact query
1 Solution

javiergn
SplunkTrust
SplunkTrust

You can use CIDR support in the search operator.
For example, the following won't work:

yoursearch NOT "10.0.0.1/16"

But this will:

yoursearch NOT yourIPFieldName="10.0.0.1/16"

In your case it should be something like:

| search NOT All_Traffic.dest="172.16.0.0/20"

You might be able to apply that filter as part of your tstats search. If you post your whole query I can try to be more spefic.

Thanks,
J

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

You can use CIDR support in the search operator.
For example, the following won't work:

yoursearch NOT "10.0.0.1/16"

But this will:

yoursearch NOT yourIPFieldName="10.0.0.1/16"

In your case it should be something like:

| search NOT All_Traffic.dest="172.16.0.0/20"

You might be able to apply that filter as part of your tstats search. If you post your whole query I can try to be more spefic.

Thanks,
J

0 Karma

klawman
Explorer

I couldn't apply the filter as part of the tstats but your logic worked by adding a secondary search stanza AFTER the tstats search.

Thanks!

0 Karma

javiergn
SplunkTrust
SplunkTrust

No worries.
If you could post your final query here and mark it as answered I'm sure it would help others.

Thanks,
J

klawman
Explorer

Sure.

I'm still refining the port definitions (would love to be able to use "in") but here is the working query.

It looks for outbound traffic to IRC ports, excludes RFC1918 space and looks for multiple packets to avoid 'light' port scanning (we're seeing a lot of false-positives with some VoIP apps).

| tstats `summariesonly` max(_time) as _time,values(All_Traffic.action) as action,values(All_Traffic.src_port) as src_port,count from datamodel=Network_Traffic where *   (All_Traffic.dest_port="6660" OR All_Traffic.dest_port="6661" OR All_Traffic.dest_port="6662" OR All_Traffic.dest_port="6663" OR All_Traffic.dest_port="6664" OR All_Traffic.dest_port="6665" OR All_Traffic.dest_port="6666" OR All_Traffic.dest_port="6667" OR All_Traffic.dest_port="6668" OR All_Traffic.dest_port="6669" OR All_Traffic.dest_port="7000") (All_Traffic.action="allowed" OR All_Traffic.action="blocked")   by All_Traffic.src,All_Traffic.dest,All_Traffic.transport,All_Traffic.dest_port |`drop_dm_object_name("All_Traffic")` | search NOT dest="10.0.0.0/8" NOT dest="172.16.0.0/12" NOT dest="192.168.0.0/16"|sort action |where count>10 | fields _time,action,src,dest,transport,dest_port,count
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...