Splunk Search

How to match an IP address from a lookup table of cidr ranges?

Path Finder

I'm trying to search records where the destination IP is in a lookup table consisting of a list of cidr ranges, but the source IP is not in one of those ranges. This was my initial thought on how to do it.

index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)  AND !cidrmatch([| inputlookup IP_Ranges], srcip) 

The lookup table is just a list of cidr ranges like
10.0.1.0/24
10.0.5.0/24
10.0.100.0/24

Any suggestions are greatly appreciated.

Tags (3)
1 Solution

Legend

The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.

Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf

[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)

This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range.

index=* | fields srcip dstip 
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc

Now you have two new fields, src_match and dst_match which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".

View solution in original post

New Member

This was very helpful, thanks

0 Karma

Legend

The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.

Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf

[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)

This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range.

index=* | fields srcip dstip 
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc

Now you have two new fields, src_match and dst_match which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".

View solution in original post

New Member

HI,

I did exactly the same steps, but i am only getting NONE (default) for all the entries. I have checked and matches do exists on the csv file. Any pointers on why ip is not getting matched to CIDR and how can it be resolved?

0 Karma

Explorer

Late to the show here, but I had the same issue. Found I had spaces at the end of my cidr_range values. If you copy/paste, make sure there are no leading/trailing spaces.

0 Karma

Motivator

I'm trying to apply this query to a search of my Symantec logs and I'm having issues getting output to return the subnets that matched the src and dest IPs. My search is as follows:

index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found" | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name" | fields "Host IP"
| lookup ip_cidr cidr_range as "Host IP" OUTPUT cidr_range as ip_match

My lookup file has three other columns in addition to cidr_range. What I'd like to do is match the src or dest IP to the IP cidr and then pull the zone/firewall/context the user is associated with.

Would appreciate any help

Thx

0 Karma

Builder

A friend pointed this out, but this can be done without CLI access now. Perform the following:

1) Settings -> Lookups -> Lookup Definitions
2) Check the box for: "Advanced options"
3) Match type: CIDR([fieldname]) <-- fieldname is the field with the CIDR addresses in it

Then in your search:
... | lookup [fieldname] as srcip OUTPUT site as srcsite

Communicator

Hi Lisa,

great thing.
Can this be done without transforms.conf?
I.E. just upload the csv and then do the lookup inline?
(Our users are 'of course' not allowed to modify Splunk configs)

Rgds,
Jens

0 Karma

Communicator

How about mixed IPv4 and IPv6 CIDR matches

ip_range,info
192.168.1.0/24,foo
2001::1/48,bar

0 Karma

Builder

Thanks that hellped me a lot !

0 Karma

Path Finder

nicely done

0 Karma

Path Finder

Or just how should I go about matching the IP address from the cidr ranges?

index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)

0 Karma