Splunk Search

match_type = CIDR doesn't seem to work

ccsfdave
Builder

I have the following lookup:

transforms.conf

[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)

props.conf

[cisco_asa]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department

ipam.csv

src_ip,Dept
10.8.1.0/10,Soap
10.17.101.0/16,Clean
10.17.102.0/15,Clean

When I do a search though, much more than what I would expect is being matched (I masked the results, the first is full the second and third are abbreviated for readability) :

» 7/3/13 7:42:30.000 AM Jul 3 07:42:30 ... %ASA-6-305012: Teardown dynamic TCP translation from inside:.../** to outside:.../** duration 0:00:30
host=... Options| sourcetype=cisco_asa Options| source=/var/log/syslog/blah.log Options| src_ip=10.35.36.20 Options| Department=Soap Options

» 7/3/13 7:42:30.000 AM

src_ip=10.15.1.12 Options| Department=Soap

» 7/3/13 7:42:30.000 AM

src_ip=10.17.31.174 Options| Department=Soap Options| Department=Clean

So as you can see the CIDR matching is not really working well. The first and second result are incorrect IP ranges for the Soap department and the third entry matches both departments when it should simply match Clean.

Tags (3)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Actually, it is working correctly, but I think you are incorrectly specifying your CIDR ranges. For example, 10.8.1.0/10 (which is the same as 10.0.0.0/10) will match anything in the range 10.0.0.0 thru 10.63.255.255, which includes your other two ranges as well as your examples. 10.17.101.0/15 (which is the same as 10.16.0.0/15) includes everything in 10.16.*.* and 10.17.*.*.

My guess (just a guess) is that your ranges should actually all be /24 ranges. Though of course I don't know your network topology, you are unlikely to want overlapping CIDR ranges for different departments.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee

Actually, it is working correctly, but I think you are incorrectly specifying your CIDR ranges. For example, 10.8.1.0/10 (which is the same as 10.0.0.0/10) will match anything in the range 10.0.0.0 thru 10.63.255.255, which includes your other two ranges as well as your examples. 10.17.101.0/15 (which is the same as 10.16.0.0/15) includes everything in 10.16.*.* and 10.17.*.*.

My guess (just a guess) is that your ranges should actually all be /24 ranges. Though of course I don't know your network topology, you are unlikely to want overlapping CIDR ranges for different departments.

ccsfdave
Builder

Ugh, right you were gkanapathy!

0 Karma

ccsfdave
Builder

DOH, let me verify...this is what I get for subnetting with an online calculator rather than doing it by hand...

0 Karma

ccsfdave
Builder

BTW, the search was very open: sourcetype=cisco_asa Department="*"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...