Conditional search for multiple IP ranges

vmorita · ‎08-12-2014

Hello there!

We´re trying to plan the best way to search multiple IP ranges that possibly can going through squid to Internet.

Nowadays in our enviroment we have specific IP range that can´t have access to internet. Therefore we decided to monitor this IP range creating specific alert.

I have researched in splunk answers and then I made the regex bellow but it didn´t work as I expected. The IP range that I want to take is 10.(1-200).(80-199).(231-254)

process="squid" httpstatus=200 | rex field=clientaddress "10.(?\d+).(?\d+).(?\d+)" | search (secoctect <200) N (79 > thiroctect <200) AND (four_octect >230)

Does anybody know what should I do? Any help I will appreciate it.

Thanks

rahulroy_splunk · ‎08-12-2014

Something like this should work for you.

process="squid" httpstatus=200 | regex clientaddress="10\.([1-9]|[1-9][0-9]|1[0-9][0-9]|200)\.([8-9][0-9]|1[0-9][0-9])\.(2(3[1-9]|4[0-9]|5[0-4]))"

The regex command will match the specified regular expression for the field clientaddress and filter out non-matching events.

somesoni2 · ‎08-12-2014

Try like this

process="squid" httpstatus=200 | rex field=clientaddress "10\.(?<secoctect>\d+)\.(?<thiroctect>\d+)\.(?<four_octect>\d+)" | search (secoctect <200) AND (79 > thiroctect <200) AND (four_octect >230)

somesoni2 · ‎08-12-2014

My bad, missed backslashes with d. Try the updated answer...

vmorita · ‎08-12-2014

I tried like this

process="squid" httpstatus=200 | rex field=clientaddress "10.(?d+).(?d+).(?d+)" | search (sec_octect<200) AND (thir_octect > 79 AND thir_octect < 200) AND (four_octect >230)

But it did not work yet.

Conditional search for multiple IP ranges

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?