Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Determining if a CIDR Block is completely contained in another

BearMormont
Path Finder
‎03-20-2018 07:00 PM

I'm looking for a way to take a CIDR range in the format x.x.x.x/x and tell if it is completely enclosed within one of the private CIDR ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).

I'd like to be able to evaluate the CIDR block and ensure all of it's IPs fall into the private range. For example, I have an event that has a CIDR_Value field and that value is 172.31.0.0/24. That range of IPs should be completely within the private 172.16.0.0/12 CIDR block. I'm looking for a way to evaluate that as true or false.

I read up on cidrmatch but that relies on you feeding in an IP and a CIDR block, not two CIDR blocks.

Any suggestions would be greatly appreciated.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BearMormont
Path Finder
‎03-22-2018 10:12 AM

This is what I decided to use though I can't be sure if it is correct or not. If anyone has a better solution I will change the answer.

 | ...
 | rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
 | eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
 |...

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

BearMormont
Path Finder
‎03-22-2018 10:12 AM

This is what I decided to use though I can't be sure if it is correct or not. If anyone has a better solution I will change the answer.

 | ...
 | rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
 | eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
 |...
0 Karma
Reply
Solved! Jump to solution

BearMormont
Path Finder
‎03-21-2018 08:31 AM

This is sort of what I have now, but I don't know if the logic is sound or if is a chance it will intepret the data incorrectly. If someone could look it over and let me know what they think I'd appreciate it:

| ...
| rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
| eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
|...
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...