Splunk Search

How to find events that have non RFC1918 addresses

wtaylor149
Explorer

Issue I'm facing:

My use case is to detect a successful ssh login from an external ip_address.

I have my linux logs in: index=linux_logs

These logs have a field called "hostname". "hostname" is sometimes a FQDN and sometimes it's an ip_address. I have an asset list (lookup file),  assets.csv.  Not all of the FQDN from the linux_logs are in this list.

Here is my initial query:

index=linux_logs sourcetype=syslog exe="/usr/sbin/sshd" res=success NOT hostname=?

| stats count, min(_time) as first_time, max(_time) as last_time, values(dest) as dest, values(hostname) as src by acct

| lookup assets.csv dns AS src OUTPUT ip

| fillnull value=no_ip ip

 

A sample of the results:

acctcountfirst_timelast_timedesthostnameip
user150epoch_time_formatepoch_time_formathost1.mycompany.comsrc1.mycompany.com10.36.25.14
user240epoch_time_formatepoch_time_formathost3.mycompany.comsrc3.mycompany.comno_ip

 

 I want to eliminate the RFC1918 and keep the "no_ip" and ip's outside of the RFC1918 ranges. I do have a lookup for the rfc1918 ranges but I'm struggling with how to write the spl to check the "ip" field for what I need. Any help is greatly appreciated.

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust
| where NOT cidrmatch("10.0.0.0/8,ip) AND NOT cidrmatch("192.168.0.0/16",ip) AND [...]
0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...