I'm looking for a way to take a CIDR range in the format x.x.x.x/x and tell if it is completely enclosed within one of the private CIDR ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).
I'd like to be able to evaluate the CIDR block and ensure all of it's IPs fall into the private range. For example, I have an event that has a CIDR_Value field and that value is 172.31.0.0/24. That range of IPs should be completely within the private 172.16.0.0/12 CIDR block. I'm looking for a way to evaluate that as true or false.
I read up on cidrmatch
but that relies on you feeding in an IP and a CIDR block, not two CIDR blocks.
Any suggestions would be greatly appreciated.
This is what I decided to use though I can't be sure if it is correct or not. If anyone has a better solution I will change the answer.
| ...
| rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
| eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
|...
This is what I decided to use though I can't be sure if it is correct or not. If anyone has a better solution I will change the answer.
| ...
| rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
| eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
|...
This is sort of what I have now, but I don't know if the logic is sound or if is a chance it will intepret the data incorrectly. If someone could look it over and let me know what they think I'd appreciate it:
| ...
| rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
| eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
|...