Splunk Search

How to search on IP range and not IP subnet?

honey4sec
Explorer

Hi we currently consuming threat intelligence data and want to correlate this in Splunk in a good way.
The problem is that some of the feeds deliver IP addresses in the format of ip-ip and not ip/subnet.
How can i make Splunk look at ip-ip as individual IP addresses to match against our firewall logs?

0 Karma
1 Solution

ehudb
Contributor

Assuming your threat ip fields are ip range:
"192.168.1.1-192.168.1.100" means ALL IP addresses between the range: 192.168.1.1,2,3,...100

You can use the following:

index=firewall |table fwsrc
|append [index=threat |table threatip ]

|makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1)
|table fwsrc startip  endip
|eventstats values(startip) as startip values(endip)  as endip
|stats count by fwsrc startip endip
|eval isThreat = if(fwsrc>=startip AND fwsrc<=endip,"T","F")
|stats values(isThreat) as isThreat by fwsrc |eval isThreat=if(isThreat=="T","T","F")

Explanation:
|makemv threatip delim="-" will convert the range to multivalue field with start and end
mvindex will extract them to new fields
eventstats will spread the threat ranges across the entire table
(fwsrc>=startip) can decide if fwsrc is 'bigger' than startip, means all it's 4 parts are above or equal to the other ip.
(fwsrc>=endtip) works the same in the opposite side
|stats values and eval will finally show only the ip that detected as threat in one of the ranges.


Another working approach would be converting all the ranges to a where clause in subsearch:

index=firewall |table fwsrc
|where
[index=threat |table threatip |makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1) |table startip endip
|eval where="fwsrc>=\""+startip+"\" AND fwsrc<=\""+endip+"\""  |return 10000 $where]

The subsearch here assembles the table:

threatip
-----------
192.168.1.2-192.168.1.100
10.0.0.1-10.1.0.100

into a single line where clause:
(fwsrc>="192.168.1.2" AND fwsrc<="192.168.1.100") OR (fwsrc>="10.0.0.1" AND fwsrc<="10.0.0.100")

Then, the |where command is using this string to filter the results.

View solution in original post

0 Karma

ehudb
Contributor

Assuming your threat ip fields are ip range:
"192.168.1.1-192.168.1.100" means ALL IP addresses between the range: 192.168.1.1,2,3,...100

You can use the following:

index=firewall |table fwsrc
|append [index=threat |table threatip ]

|makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1)
|table fwsrc startip  endip
|eventstats values(startip) as startip values(endip)  as endip
|stats count by fwsrc startip endip
|eval isThreat = if(fwsrc>=startip AND fwsrc<=endip,"T","F")
|stats values(isThreat) as isThreat by fwsrc |eval isThreat=if(isThreat=="T","T","F")

Explanation:
|makemv threatip delim="-" will convert the range to multivalue field with start and end
mvindex will extract them to new fields
eventstats will spread the threat ranges across the entire table
(fwsrc>=startip) can decide if fwsrc is 'bigger' than startip, means all it's 4 parts are above or equal to the other ip.
(fwsrc>=endtip) works the same in the opposite side
|stats values and eval will finally show only the ip that detected as threat in one of the ranges.


Another working approach would be converting all the ranges to a where clause in subsearch:

index=firewall |table fwsrc
|where
[index=threat |table threatip |makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1) |table startip endip
|eval where="fwsrc>=\""+startip+"\" AND fwsrc<=\""+endip+"\""  |return 10000 $where]

The subsearch here assembles the table:

threatip
-----------
192.168.1.2-192.168.1.100
10.0.0.1-10.1.0.100

into a single line where clause:
(fwsrc>="192.168.1.2" AND fwsrc<="192.168.1.100") OR (fwsrc>="10.0.0.1" AND fwsrc<="10.0.0.100")

Then, the |where command is using this string to filter the results.

0 Karma

ehudb
Contributor

Assuming the ip field looks like this:
"192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1"

You can convert it to multivalue field, and then expand to rows:
|makemv delim="-" ip |mvexpand ip

"192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1" ->
ip
192.168.1.1
192.168.1.2
192.168.1.3
10.0.0.1

Full example:
| makeresults count=1 |eval ip="192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1" |table ip
|makemv delim="-" ip |mvexpand ip

0 Karma

honey4sec
Explorer

The ip Field looks like this
192.168.3.35-192.168.3.47
I don't think think the answer apply to this.
But im not a splunk superman yet

0 Karma

ehudb
Contributor

Ok I understand the range is |fromip-toip"
I will post new answer according to this

0 Karma

ehudb
Contributor

What's the different from your example:
192.168.3.35-192.168.3.47

To my example:
192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...