Splunk Search

How to match an IP address from a lookup table of cidr ranges?

glenngermiathen
Path Finder

I'm trying to search records where the destination IP is in a lookup table consisting of a list of cidr ranges, but the source IP is not in one of those ranges. This was my initial thought on how to do it.

index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)  AND !cidrmatch([| inputlookup IP_Ranges], srcip) 

The lookup table is just a list of cidr ranges like
10.0.1.0/24
10.0.5.0/24
10.0.100.0/24

Any suggestions are greatly appreciated.

Tags (3)
1 Solution

lguinn2
Legend

The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.

Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf

[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)

This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range.

index=* | fields srcip dstip 
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc

Now you have two new fields, src_match and dst_match which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".

View solution in original post

ankurpwc
Engager

This was very helpful, thanks

lguinn2
Legend

The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.

Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf

[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)

This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range.

index=* | fields srcip dstip 
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc

Now you have two new fields, src_match and dst_match which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".

niddhi
Explorer

HI,

I did exactly the same steps, but i am only getting NONE (default) for all the entries. I have checked and matches do exists on the csv file. Any pointers on why ip is not getting matched to CIDR and how can it be resolved?

0 Karma

ohbuckeyeio
Communicator

Late to the show here, but I had the same issue. Found I had spaces at the end of my cidr_range values. If you copy/paste, make sure there are no leading/trailing spaces.

0 Karma

jwalzerpitt
Influencer

I'm trying to apply this query to a search of my Symantec logs and I'm having issues getting output to return the subnets that matched the src and dest IPs. My search is as follows:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found" | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name" | fields "Host IP"
| lookup ip_cidr cidr_range as "Host IP" OUTPUT cidr_range as ip_match

My lookup file has three other columns in addition to cidr_range. What I'd like to do is match the src or dest IP to the IP cidr and then pull the zone/firewall/context the user is associated with.

Would appreciate any help

Thx

0 Karma

TonyLeeVT
Builder

A friend pointed this out, but this can be done without CLI access now. Perform the following:

1) Settings -> Lookups -> Lookup Definitions
2) Check the box for: "Advanced options"
3) Match type: CIDR([fieldname]) <-- fieldname is the field with the CIDR addresses in it

Then in your search:
... | lookup [fieldname] as src_ip OUTPUT site as src_site

JensT
Communicator

Hi Lisa,

great thing.
Can this be done without transforms.conf?
I.E. just upload the csv and then do the lookup inline?
(Our users are 'of course' not allowed to modify Splunk configs)

Rgds,
Jens

0 Karma

mathiask
Communicator

How about mixed IPv4 and IPv6 CIDR matches

ip_range,info
192.168.1.0/24,foo
2001::1/48,bar

0 Karma

aakwah
Builder

Thanks that hellped me a lot !

0 Karma

paulstark
Path Finder

nicely done

0 Karma

glenngermiathen
Path Finder

Or just how should I go about matching the IP address from the cidr ranges?

index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...