Splunk Enterprise
Highlighted

Check IPs on Blacklist in CIDR notaiton

New Member

I'm struggling with the following
I have a search that a returns all public IP address for which a connection was made on my Cisco ASA 5516-X firewall.
host="192.168.10.2" Built | rex "(?<ip1>\d+.\d+.\d+.\d+/)" max_match=0 | top limit=10000 ip1 | where NOT (ip1 LIKE "192.168.%.%")

I'd like to compare this list against the below blacklist
http://iplists.firehol.org/?ipset=firehol_level1

The primary problem i have is that the IP lists returned are signular and the blacklist is in CIDR notation. Is there a way to compare a list of single IPs to see if they match any entries within a CIDR notation?

Thanks

Tags (1)
0 Karma
Highlighted

Re: Check IPs on Blacklist in CIDR notaiton

Champion

I haven't used it but there is a function for eval/where called cidrmatch - seems to do just that.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

cidrmatch("X",Y)    

This function returns true, when an IP addresse Y belongs to a particular subnet X. The function uses two string arguments: the first is the CIDR subnet; the second is the IP address to match.    

This example uses cidrmatch to set a field, isLocal, to "local" if the field ip matches the subnet, or "not local" if it does not:
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")

This example uses cidrmatch as a filter:

... | where cidrmatch("123.132.32.0/25", ip)
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.