Splunk Search

How to match an IP address from a lookup table of cidr ranges?

glenngermiathen
Path Finder

I'm trying to search records where the destination IP is in a lookup table consisting of a list of cidr ranges, but the source IP is not in one of those ranges. This was my initial thought on how to do it.

index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)  AND !cidrmatch([| inputlookup IP_Ranges], srcip) 

The lookup table is just a list of cidr ranges like
10.0.1.0/24
10.0.5.0/24
10.0.100.0/24

Any suggestions are greatly appreciated.

Tags (3)
1 Solution

lguinn2
Legend

The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.

Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf

[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)

This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range.

index=* | fields srcip dstip 
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc

Now you have two new fields, src_match and dst_match which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".

View solution in original post

ankurpwc
New Member

This was very helpful, thanks

0 Karma

lguinn2
Legend

The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.

Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf

[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)

This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range.

index=* | fields srcip dstip 
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc

Now you have two new fields, src_match and dst_match which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".

niddhi
Explorer

HI,

I did exactly the same steps, but i am only getting NONE (default) for all the entries. I have checked and matches do exists on the csv file. Any pointers on why ip is not getting matched to CIDR and how can it be resolved?

0 Karma

ohbuckeyeio
Path Finder

Late to the show here, but I had the same issue. Found I had spaces at the end of my cidr_range values. If you copy/paste, make sure there are no leading/trailing spaces.

0 Karma

jwalzerpitt
Motivator

I'm trying to apply this query to a search of my Symantec logs and I'm having issues getting output to return the subnets that matched the src and dest IPs. My search is as follows:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found" | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name" | fields "Host IP"
| lookup ip_cidr cidr_range as "Host IP" OUTPUT cidr_range as ip_match

My lookup file has three other columns in addition to cidr_range. What I'd like to do is match the src or dest IP to the IP cidr and then pull the zone/firewall/context the user is associated with.

Would appreciate any help

Thx

0 Karma

TonyLeeVT
Builder

A friend pointed this out, but this can be done without CLI access now. Perform the following:

1) Settings -> Lookups -> Lookup Definitions
2) Check the box for: "Advanced options"
3) Match type: CIDR([fieldname]) <-- fieldname is the field with the CIDR addresses in it

Then in your search:
... | lookup [fieldname] as src_ip OUTPUT site as src_site

JensT
Communicator

Hi Lisa,

great thing.
Can this be done without transforms.conf?
I.E. just upload the csv and then do the lookup inline?
(Our users are 'of course' not allowed to modify Splunk configs)

Rgds,
Jens

0 Karma

mathiask
Communicator

How about mixed IPv4 and IPv6 CIDR matches

ip_range,info
192.168.1.0/24,foo
2001::1/48,bar

0 Karma

aakwah
Builder

Thanks that hellped me a lot !

0 Karma

paulstark
Path Finder

nicely done

0 Karma

glenngermiathen
Path Finder

Or just how should I go about matching the IP address from the cidr ranges?

index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...