Solved: Find group using client IP in lookup of network ra...

ccsfdave · ‎01-26-2015

What I am trying to do is find what group a client IP belongs to. I have some existing assets (lookup csv) which ideally could be used in their current form. I have seen some posts similar but nothing to get me all the way there.

Base Search:
index=security sourcetype=cisco mickey_mouse duration=*| rex "outside:(?\b\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\b)"

This gives me a new field of ip with the IP that the user has been assigned from the VPN. I then want to use this IP to find the group from this csv:

IP_Address  Mask    Group_Name
10.3.208.128    255.255.255.192 NYC
10.3.202.128    255.255.255.192 SF
10.3.217.64 255.255.255.192 SD
10.3.227.0  255.255.255.0   callcntr

So if the result from Mickey Mouse gaining VPN access is that he is given a 10.3.227.13. I would like to have a new field (maybe named "group") return "callcntr".

Thanks!

ccsfdave · ‎01-28-2015

@aljohnson_splunk -

No luck so far. Been at it for a couple hours this morning looking at a previous question and answer which is very similar: http://answers.splunk.com/answers/93620/lookup-with-cidr.html but still I cannot figure out what's going on.

So let's clean it up and lay it all out again:

Search: index=security sourcetype=cisco_asa mickey_mouse duration=*| rex "outside:(?< vpn_ip >\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" - this will extract the IP I want to use to look up in the lookup table.

props.conf: [security] LOOKUP-vpn_group = VPNGroup vpn_ip OUTPUTNEW Group_Name AS VPNGroup

transforms.conf: [VPNGroup] filename = CIDR_VPN_Groups.csv match_type = CIDR(CIDR_Address)

lookup file - /opt/splunk/etc/apps/search/lookups/CIDR_VPN_Groups.csv : CIDR_Address,Group_Name 10.1.x.x/26,fantasy_land 10.1.x.x/26,tomorrow_land 10.1.x.x/26,frontier_land

In the previous link, this results in a new field appearing in my results which I would expect to be VPNGroup.

Thanks.

Dave

View solution in original post

ccsfdave · ‎01-28-2015

@aljohnson_splunk -

No luck so far. Been at it for a couple hours this morning looking at a previous question and answer which is very similar: http://answers.splunk.com/answers/93620/lookup-with-cidr.html but still I cannot figure out what's going on.

So let's clean it up and lay it all out again:

Search: index=security sourcetype=cisco_asa mickey_mouse duration=*| rex "outside:(?< vpn_ip >\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)" - this will extract the IP I want to use to look up in the lookup table.

props.conf: [security] LOOKUP-vpn_group = VPNGroup vpn_ip OUTPUTNEW Group_Name AS VPNGroup

transforms.conf: [VPNGroup] filename = CIDR_VPN_Groups.csv match_type = CIDR(CIDR_Address)

lookup file - /opt/splunk/etc/apps/search/lookups/CIDR_VPN_Groups.csv : CIDR_Address,Group_Name 10.1.x.x/26,fantasy_land 10.1.x.x/26,tomorrow_land 10.1.x.x/26,frontier_land

In the previous link, this results in a new field appearing in my results which I would expect to be VPNGroup.

Thanks.

Dave

ccsfdave · ‎01-28-2015

I ended up copying almost exactly my previous post: link text But nothing was showing up, until I change my search to include VPNGroup = * and then the field appeared, even though I bounced splunk. So who knows whether what I have in my comment above was working but not showing to me...

aljohnson_splun · ‎01-26-2015

Change your lookup to encompass cidr ranges - I think thats what you're looking for:

See this answer: http://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html

aljohnson_splun · ‎01-27-2015

@ccsfdave - does this help at all ?

ccsfdave · ‎01-27-2015

@aljohnson_splunk - I converted my lookup into a new lookup with CIDR format but ran out of time yesterday and won't get back to it until tomorrow morning. Thanks for checking in. I'll let you know how it goes.

I could swear I have a similar search somewhere in my environment, hopefully I do and I can leverage that solution as well.

Dave

aljohnson_splun · ‎01-26-2015

You could actually do this with just the eval command using the cidrmatch function. (docs)
Here is the example from the docs:

This example uses cidrmatch to set a field, isLocal, to "local" if the field ip matches the subnet, or "not local" if it does not:
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")

This example uses cidrmatch as a filter:

... | where cidrmatch("123.132.32.0/25", ip)

In your case however, you are probably going to want to use the case function rather than the if function.

... | eval group = case(cidrmatch("10.3.227.0/24", ip), "callcntr", cidrmatch("10.3.217.64/cidr_range", ip), "SD" ...

ccsfdave · ‎01-26-2015

@aljohnson_splunk the problem with the example is that I have 165 groups so the eval would be really long...

aljohnson_splun · ‎01-26-2015

@ccsfdave did you see my comment (converted to answer) to the main question ? you could maybe use cidr ranges in the actual lookup ?

aljohnson_splun · ‎01-26-2015

If you wrote the eval one time and saved it as a macro, at least you'd only have to do it once 😛 but I hear what you're saying

aljohnson_splun · ‎01-26-2015

cidr ranges : http://www.aelius.com/njh/subnet_sheet.html

Find group using client IP in lookup of network ranges

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!