Splunk Enterprise Security

Splunk Enterprise Security: How can I do a cidrmatch against a data model field?

klawman
Explorer

I'm working with Splunk Enterprise Security and I'm trying to build/refine correlations against the Network Traffic Data Model.

I want to exclude destination addresses in RFC1918 space. When working with the Data Model, how do you express the equivalent of

 NOT cidrmatch ("172.16.0.0/20", All_Traffic.dest)

Every combination I try gives me the error

Error in 'TsidxStats': WHERE clause is not an exact query
1 Solution

javiergn
SplunkTrust
SplunkTrust

You can use CIDR support in the search operator.
For example, the following won't work:

yoursearch NOT "10.0.0.1/16"

But this will:

yoursearch NOT yourIPFieldName="10.0.0.1/16"

In your case it should be something like:

| search NOT All_Traffic.dest="172.16.0.0/20"

You might be able to apply that filter as part of your tstats search. If you post your whole query I can try to be more spefic.

Thanks,
J

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

You can use CIDR support in the search operator.
For example, the following won't work:

yoursearch NOT "10.0.0.1/16"

But this will:

yoursearch NOT yourIPFieldName="10.0.0.1/16"

In your case it should be something like:

| search NOT All_Traffic.dest="172.16.0.0/20"

You might be able to apply that filter as part of your tstats search. If you post your whole query I can try to be more spefic.

Thanks,
J

0 Karma

klawman
Explorer

I couldn't apply the filter as part of the tstats but your logic worked by adding a secondary search stanza AFTER the tstats search.

Thanks!

0 Karma

javiergn
SplunkTrust
SplunkTrust

No worries.
If you could post your final query here and mark it as answered I'm sure it would help others.

Thanks,
J

klawman
Explorer

Sure.

I'm still refining the port definitions (would love to be able to use "in") but here is the working query.

It looks for outbound traffic to IRC ports, excludes RFC1918 space and looks for multiple packets to avoid 'light' port scanning (we're seeing a lot of false-positives with some VoIP apps).

| tstats `summariesonly` max(_time) as _time,values(All_Traffic.action) as action,values(All_Traffic.src_port) as src_port,count from datamodel=Network_Traffic where *   (All_Traffic.dest_port="6660" OR All_Traffic.dest_port="6661" OR All_Traffic.dest_port="6662" OR All_Traffic.dest_port="6663" OR All_Traffic.dest_port="6664" OR All_Traffic.dest_port="6665" OR All_Traffic.dest_port="6666" OR All_Traffic.dest_port="6667" OR All_Traffic.dest_port="6668" OR All_Traffic.dest_port="6669" OR All_Traffic.dest_port="7000") (All_Traffic.action="allowed" OR All_Traffic.action="blocked")   by All_Traffic.src,All_Traffic.dest,All_Traffic.transport,All_Traffic.dest_port |`drop_dm_object_name("All_Traffic")` | search NOT dest="10.0.0.0/8" NOT dest="172.16.0.0/12" NOT dest="192.168.0.0/16"|sort action |where count>10 | fields _time,action,src,dest,transport,dest_port,count
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...