Splunk Search

How to search on IP range and not IP subnet?

honey4sec
Explorer

Hi we currently consuming threat intelligence data and want to correlate this in Splunk in a good way.
The problem is that some of the feeds deliver IP addresses in the format of ip-ip and not ip/subnet.
How can i make Splunk look at ip-ip as individual IP addresses to match against our firewall logs?

0 Karma
1 Solution

ehudb
Contributor

Assuming your threat ip fields are ip range:
"192.168.1.1-192.168.1.100" means ALL IP addresses between the range: 192.168.1.1,2,3,...100

You can use the following:

index=firewall |table fwsrc
|append [index=threat |table threatip ]

|makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1)
|table fwsrc startip  endip
|eventstats values(startip) as startip values(endip)  as endip
|stats count by fwsrc startip endip
|eval isThreat = if(fwsrc>=startip AND fwsrc<=endip,"T","F")
|stats values(isThreat) as isThreat by fwsrc |eval isThreat=if(isThreat=="T","T","F")

Explanation:
|makemv threatip delim="-" will convert the range to multivalue field with start and end
mvindex will extract them to new fields
eventstats will spread the threat ranges across the entire table
(fwsrc>=startip) can decide if fwsrc is 'bigger' than startip, means all it's 4 parts are above or equal to the other ip.
(fwsrc>=endtip) works the same in the opposite side
|stats values and eval will finally show only the ip that detected as threat in one of the ranges.


Another working approach would be converting all the ranges to a where clause in subsearch:

index=firewall |table fwsrc
|where
[index=threat |table threatip |makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1) |table startip endip
|eval where="fwsrc>=\""+startip+"\" AND fwsrc<=\""+endip+"\""  |return 10000 $where]

The subsearch here assembles the table:

threatip
-----------
192.168.1.2-192.168.1.100
10.0.0.1-10.1.0.100

into a single line where clause:
(fwsrc>="192.168.1.2" AND fwsrc<="192.168.1.100") OR (fwsrc>="10.0.0.1" AND fwsrc<="10.0.0.100")

Then, the |where command is using this string to filter the results.

View solution in original post

0 Karma

ehudb
Contributor

Assuming your threat ip fields are ip range:
"192.168.1.1-192.168.1.100" means ALL IP addresses between the range: 192.168.1.1,2,3,...100

You can use the following:

index=firewall |table fwsrc
|append [index=threat |table threatip ]

|makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1)
|table fwsrc startip  endip
|eventstats values(startip) as startip values(endip)  as endip
|stats count by fwsrc startip endip
|eval isThreat = if(fwsrc>=startip AND fwsrc<=endip,"T","F")
|stats values(isThreat) as isThreat by fwsrc |eval isThreat=if(isThreat=="T","T","F")

Explanation:
|makemv threatip delim="-" will convert the range to multivalue field with start and end
mvindex will extract them to new fields
eventstats will spread the threat ranges across the entire table
(fwsrc>=startip) can decide if fwsrc is 'bigger' than startip, means all it's 4 parts are above or equal to the other ip.
(fwsrc>=endtip) works the same in the opposite side
|stats values and eval will finally show only the ip that detected as threat in one of the ranges.


Another working approach would be converting all the ranges to a where clause in subsearch:

index=firewall |table fwsrc
|where
[index=threat |table threatip |makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1) |table startip endip
|eval where="fwsrc>=\""+startip+"\" AND fwsrc<=\""+endip+"\""  |return 10000 $where]

The subsearch here assembles the table:

threatip
-----------
192.168.1.2-192.168.1.100
10.0.0.1-10.1.0.100

into a single line where clause:
(fwsrc>="192.168.1.2" AND fwsrc<="192.168.1.100") OR (fwsrc>="10.0.0.1" AND fwsrc<="10.0.0.100")

Then, the |where command is using this string to filter the results.

0 Karma

ehudb
Contributor

Assuming the ip field looks like this:
"192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1"

You can convert it to multivalue field, and then expand to rows:
|makemv delim="-" ip |mvexpand ip

"192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1" ->
ip
192.168.1.1
192.168.1.2
192.168.1.3
10.0.0.1

Full example:
| makeresults count=1 |eval ip="192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1" |table ip
|makemv delim="-" ip |mvexpand ip

0 Karma

honey4sec
Explorer

The ip Field looks like this
192.168.3.35-192.168.3.47
I don't think think the answer apply to this.
But im not a splunk superman yet

0 Karma

ehudb
Contributor

Ok I understand the range is |fromip-toip"
I will post new answer according to this

0 Karma

ehudb
Contributor

What's the different from your example:
192.168.3.35-192.168.3.47

To my example:
192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...