Hi There,
This is my first post so wanted to say Hello!
I am trying to create an alert for possible Deny action on our firewall from 3 different internal IPs against multiple external IP subnets not single IPs.
I found this post http://answers.splunk.com/answers/57094/join-ip-with-a-subnet.html
and created ip_lookups.csv and transforms.conf
ip_lookups.csv has following format (ip ranges changed for demo purpose)
ip,location
200.100.32.0/19,target1 255.255.224.0
100.200.30.0/19,target2 255.255.224.0
50.60.80.0/20,target3 255.255.240.0
Could you advise on how to create a search rule to reflect the target subnets based on the ip_lookups.csv, please? Maybe there is a better way of doing it.
Thanks.
This works:
* | head 1 | eval ip = "192.168.0.11" | search ip=192.168.0.1/24
I tried to put it in my full search but it does not seem to work.
sourcetype=syslog source=/opt/splunk/rsyslog/udp/cisco.log host=firewall1 Deny tcp src
|head 1 | eval ip=“10.10.10.101” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]
| append [head 2 | eval ip=“10.10.10.102” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]
| append [head 3 | eval ip=“10.10.10.103” | search ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/19 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/18 OR ip=XX.XX.XX.XX/17 OR ip=XX.XX.XX.XX/24 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/20 OR ip=XX.XX.XX.XX/16 OR ip=XX.XX.XX.XX/19]
Could you advise, please?
Anyone could help on this?