not receiving any outcomes for CIDR IPs

hem03 · ‎05-20-2024

Hello community,

I aim to compare the 'src_ip' referenced below with the CIDR IP ranges in the lookup file 'zscalerip.csv' using the query provided. If there is a match, the result should be recorded as true in the 'Is_managed_device' field; otherwise, it should be marked as false. However, upon executing this query, I'm obtaining identical results for all IPs, irrespective of whether they match the CIDR range.

I have created a new lookup definition for the lookup and implemented the following changes:-

Type = file-based
min_matches = 0
default_match = NONE
filename = zscalerip.csv
match_type = CIDR(CIDR)

CIDR IP range in lookup file :-

CIDR

168.246.*.*

8.25.203.0/24

64.74.126.64/26

70.39.159.0/24

136.226.158.0/23

Splunk Query :-

| makeresults | eval src_ip="10.0.0.0 166.226.118.0 136.226.158.0 185.46.212.0 2a03:eec0:1411::"
| makemv delim=" " src_ip
| mvexpand src_ip
| lookup zscalerip.csv CIDR AS src_ip OUTPUT CIDR as CIDR_match
| eval Is_managed_device=if(cidrmatch(CIDR_match,src_ip), "true", "false")
| table src_ip Is_managed_device

getting result in below format:-

src_ip	Is_managed_device
10.0.0.0	FALSE
166.226.118.0	FALSE
136.226.158.0	FALSE
185.46.212.0	FALSE
2a03:eec0:1411::	FALSE

yuanliu · ‎05-20-2024

I am a little confused by the SPL. Did you try this?

| makeresults | eval src_ip="10.0.0.0 166.226.118.0 136.226.158.0 185.46.212.0 2a03:eec0:1411::"
| makemv delim=" " src_ip
| mvexpand src_ip
| lookup zscalerip.csv CIDR AS src_ip OUTPUT CIDR as CIDR_match
| eval Is_managed_device=if(isnull(CIDR_match), "false", "true")
| table src_ip Is_managed_device

hem03 · ‎05-21-2024

I tried using the 'isnull' and 'isnotnull' functions, but received the same 'false' result for both.

yuanliu · ‎05-21-2024

I entered your sample table in a lookup zscalerip.csv

CIDR

168.246.0.0/16

8.25.203.0/24

64.74.126.64/26

70.39.159.0/24

136.226.158.0/23

(Your original first line 168.246.*.* is not a CIDR notation so I speculated it to be misspelling of 168.246.0.0/16. This is immaterial to the problem at hand.)

[zscalerip.csv]
batch_index_query = 0
case_sensitive_match = 1
filename = zscalerip.csv
match_type = CIDR(CIDR)

Using the exact search I posted above, the output is

src_ip	Is_managed_device
10.0.0.0	false
166.226.118.0	false
136.226.158.0	true
185.46.212.0	false
2a03:eec0:1411::	false

hem03 · ‎05-22-2024

I'm still getting the wrong result. When I tried with a single IPv4 address, it worked, but I encountered the issue only with CIDR IP ranges. Do I need to make any changes from the backend?

yuanliu · ‎05-22-2024

My test is on a basic installation on my laptop. CIDR match works as is. Maybe delete that lookup and redo it? Do you use UI or edit transforms.conf directly? If you use UI, maybe post the part where you set up CIDR match? Is there a mismatch between field name in CIDR setup and the actual file header? I already showed my test file content and the lookup stanza in transforms.conf. Here are from the UI:

Also avoid bad entries like *.* in the file. I don't know if that will ruin CIDR match, but why take the risk.

hem03 · ‎05-24-2024

I'm still receiving an inaccurate result.

not receiving any outcomes for CIDR IPs

lookup

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?