Splunk Search

How to find events that have non RFC1918 addresses

wtaylor149
Explorer

Issue I'm facing:

My use case is to detect a successful ssh login from an external ip_address.

I have my linux logs in: index=linux_logs

These logs have a field called "hostname". "hostname" is sometimes a FQDN and sometimes it's an ip_address. I have an asset list (lookup file),  assets.csv.  Not all of the FQDN from the linux_logs are in this list.

Here is my initial query:

index=linux_logs sourcetype=syslog exe="/usr/sbin/sshd" res=success NOT hostname=?

| stats count, min(_time) as first_time, max(_time) as last_time, values(dest) as dest, values(hostname) as src by acct

| lookup assets.csv dns AS src OUTPUT ip

| fillnull value=no_ip ip

 

A sample of the results:

acctcountfirst_timelast_timedesthostnameip
user150epoch_time_formatepoch_time_formathost1.mycompany.comsrc1.mycompany.com10.36.25.14
user240epoch_time_formatepoch_time_formathost3.mycompany.comsrc3.mycompany.comno_ip

 

 I want to eliminate the RFC1918 and keep the "no_ip" and ip's outside of the RFC1918 ranges. I do have a lookup for the rfc1918 ranges but I'm struggling with how to write the spl to check the "ip" field for what I need. Any help is greatly appreciated.

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust
| where NOT cidrmatch("10.0.0.0/8,ip) AND NOT cidrmatch("192.168.0.0/16",ip) AND [...]
0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...