Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Determining if a CIDR Block is completely contained in another

BearMormont
Path Finder
‎03-20-2018 07:00 PM

I'm looking for a way to take a CIDR range in the format x.x.x.x/x and tell if it is completely enclosed within one of the private CIDR ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).

I'd like to be able to evaluate the CIDR block and ensure all of it's IPs fall into the private range. For example, I have an event that has a CIDR_Value field and that value is 172.31.0.0/24. That range of IPs should be completely within the private 172.16.0.0/12 CIDR block. I'm looking for a way to evaluate that as true or false.

I read up on cidrmatch but that relies on you feeding in an IP and a CIDR block, not two CIDR blocks.

Any suggestions would be greatly appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BearMormont
Path Finder
‎03-22-2018 10:12 AM

This is what I decided to use though I can't be sure if it is correct or not. If anyone has a better solution I will change the answer.

 | ...
 | rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
 | eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
 |...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

BearMormont
Path Finder
‎03-22-2018 10:12 AM

This is what I decided to use though I can't be sure if it is correct or not. If anyone has a better solution I will change the answer.

 | ...
 | rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
 | eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
 |...
0 Karma
Reply
Solved! Jump to solution

BearMormont
Path Finder
‎03-21-2018 08:31 AM

This is sort of what I have now, but I don't know if the logic is sound or if is a chance it will intepret the data incorrectly. If someone could look it over and let me know what they think I'd appreciate it:

| ...
| rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
| eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
|...
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...