Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About commanman
commanman
Explorer
Member since:
09-02-2021
03-13-2022
Community Statistics
| Posts | 6 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 09-02-2021 |
Activity Feed
- Karma Re: How to combine a range of multiple IP address and compare it to a variable for PickleRick. 09-05-2021 08:35 PM
- Posted Re: How to combine a range of multiple IP address and compare it to a variable on Splunk Search. 09-04-2021 06:44 PM
- Karma Re: How to combine a range of multiple IP address and compare it to a variable for ITWhisperer. 09-04-2021 06:43 PM
- Posted Re: How to match an ip address to cidr in lookup table on Splunk Search. 09-03-2021 08:20 PM
- Posted Re: How to combine a range of multiple IP address and compare it to a variable on Splunk Search. 09-03-2021 05:47 PM
- Tagged How to match an ip address to cidr in lookup table? on Splunk Search. 09-02-2021 02:55 AM
- Tagged How to match an ip address to cidr in lookup table? on Splunk Search. 09-02-2021 02:55 AM
- Posted How to match an ip address to cidr in lookup table? on Splunk Search. 09-02-2021 02:47 AM
- Tagged How to match an ip address to cidr in lookup table? on Splunk Search. 09-02-2021 02:47 AM
- Tagged How to match an ip address to cidr in lookup table? on Splunk Search. 09-02-2021 02:47 AM
- Tagged How to match an ip address to cidr in lookup table? on Splunk Search. 09-02-2021 02:47 AM
- Posted How to combine a range of multiple IP address and compare it to a variable on Splunk Search. 09-02-2021 02:15 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
09-04-2021
06:44 PM
Thanks @ITWhisperer for helping out.
... View more
09-03-2021
08:20 PM
Hey @shivanshu1593 , As you suggested, What I have a tried is this: Here is my correlation search: | tstats summariesonly=true allow_old_summaries=true values(IDS_Attacks.dest) as "dest" dc(IDS_Attacks.dest) as "count" values(IDS_Attacks.signature) as signature from datamodel="Intrusion_Detection"."IDS_Attacks" where IDS_Attacks.severity!="informational" by "IDS_Attacks.src" "IDS_Attacks.severity" | rename "IDS_Attacks.src" as "src" "IDS_Attacks.severity" as severity | where 'count'>25 | search (src!=10.161.35.50 AND src!=161.16.157.154 AND src!=161.16.155.105 AND src!=161.16.156.118 AND src!=165.249.145.180 AND src!=10.160.8.170 AND src!=10.160.8.171 AND src!=10.160.8.172 AND src!=10.160.8.173 AND src!=10.172.8.170 AND src!=10.172.8.171) //Part where in want to input a lookup table | where ( NOT cidrmatch("13.59.252.0/25",src) AND NOT cidrmatch("13.56.21.128/25",src) AND NOT cidrmatch("35.177.219.0/26",src) AND NOT cidrmatch("13.210.1.64/26",src) AND NOT cidrmatch("54.175.125.192/26",src) AND NOT cidrmatch("54.219.188.128/26",src) AND NOT cidrmatch("54.93.254.128/26",src) AND NOT cidrmatch("54.255.254.0/26",src) AND NOT cidrmatch("10.161.69.43/32",src) AND NOT cidrmatch("10.161.69.44/32",src) AND NOT cidrmatch("161.16.157.80/32",src) AND NOT cidrmatch("161.16.157.64/32",src) AND NOT cidrmatch("161.16.157.138/32",src) AND NOT cidrmatch("161.16.157.213/32",src) AND NOT cidrmatch("161.16.157.216/32",src)) So here i have created a lookup table having all the CIDR BLOCKS in a excel with .csv extension. STEP1: My excel file looks like this: Step 2: Now I have converted this to .csv file Step3: Uploaded in lookup table. Step 4: Checking if file uploaded successfully: Step 5: Created a lookup definition as you suggested Go to settings -> lookups -> lookup definitions and see if a definition for your lookup exists or not (It should, cos that's required to make it available for searching.). If not there, then please create one. In the definition for your lookup, open it and click Advanced options and under Match Type, Please enter the following and click save. CIDR(cidr_match_src_ip) =è mine would be CIDR(CIDR) I have reduced the complexity let me know if this wrong or not. Step 6: Now checking if it has been successfully created Step 7: Now that every thing is in place lets run this query. | Your base search | search NOT [| inputlookup your_lookup_name.csv | rename cidr_match_src_ip as src_ip | fields src_ip] | Rest of your query. ==================MY QUERY ++++++++++++++++++++++++++++++++ | tstats summariesonly=true allow_old_summaries=true values(IDS_Attacks.dest) as "dest" dc(IDS_Attacks.dest) as "count" values(IDS_Attacks.signature) as signature from datamodel="Intrusion_Detection"."IDS_Attacks" where IDS_Attacks.severity!="informational" by "IDS_Attacks.src" "IDS_Attacks.severity" | rename "IDS_Attacks.src" as "src" "IDS_Attacks.severity" as severity | where 'count'>25 | search (src!=10.161.35.50 AND src!=161.16.157.154 AND src!=161.16.155.105 AND src!=161.16.156.118 AND src!=165.249.145.180 AND src!=10.160.8.170 AND src!=10.160.8.171 AND src!=10.160.8.172 AND src!=10.160.8.173 AND src!=10.172.8.170 AND src!=10.172.8.171) //Part where in will insert our methodology | search NOT [ | inputlookup cidr.csv | rename CIDR as src | fields src ] This does not works. ERROR I AM FACING ARE: The output stats is also not correct. If you could correct me where I am wrong would be great. Thanks, @commonman
... View more
09-03-2021
05:47 PM
Hello @maciep and @PickleRick , it is a portion of my larger query. So i have a correlation search which detects scanner in on my Infrastructure assets but there are some legitmate ip address assigned to the server which should be excluded from the matching then source. For eg: Attacker scans my webserver having IP of 123.2.3.245 Me scanning the webserver having ip address 10.10.10.10 Internal unauthorized employee scanning for the webserver 10.1.10.20 Coming to my point is that there a search query in place which detect these and stores in a variable called src. Now i wont to exclude a range of ip address like 10 -20 ip address for scanning in the same background creating a lookup for that would be a waste of resources. Hence, I query looks like this | search NOT src IN (10.161.5.50, 10.161.5.51, 10.161.5.52, 10.161.5.53, 10.161.10.20, 192.168.1.120, 192.168.1.130 ) What i want to do is group those near by ip address | search NOT src IN (10.161.5.5[0-3], 10.161.10.20, 192.168.1.120, 192.168.1.130 ) something on these lines. I have seen few regex/ ip commands on the forum which are used. But i a bit confused what would work here I hope this makes any sense to you guys.
... View more
09-02-2021
02:47 AM
Hey there Splunk hero's,
Story/Background:
So, there is this variable called "src_ip" in my correlation search. The "src_ip" is a more than 5000+ ip address.
What i am doing is matching these ip address which should not be in a particular CIDR range using cidrmatch function which works prefectly.
Which looks something like this :
| where (NOT cidrmatch("34.20.223.128/25",src_ip) AND NOT cidrmatch("13.9.22.0/25",src_ip) AND NOT cidrmatch("13.56.21.18/25",src_ip) AND NOT cidrmatch("35.17.29.0/26",src_ip) AND NOT(many-more,src_ip))
SOLUTION REQUIRED:
Now, coming to the part where i need your help is .
I want to simply this. SOLUTION Tried: PART 1: Solutions which i have searched over the forum tell me to create a lookup table and look through it.
So, I have created a lookup table named "match_cidr.csv". This csv/lookup file consist of more that 100+ CIDR blocks under a variable called cidr_match_src_ip. What i have tried looking into this via this command. there is a tstat command as well so,
Query looks like this
[ | inputlookup match_cidr.csv | where src_ip != cidr_match_src_ip] ===> this won't work since i am comparing a CIDR to IP address directly. where NOT cidrmatch([| inputlookup match_cidr.csv], src) ==> tried this as well
What can i use here or what other things can you recommend me to do. Feel free to ask any more question to me if my message isn't clear
... View more
09-02-2021
02:15 AM
So, I have multiple ip addresses i want to combine them using regex or normal by supplying dashes and compare them to the variable. For eg: This is my existing query: | search NOT src IN (10.161.5.50 , 10.161.5.51,10.161.5.52, 10.161.5.53,10.161.10.20,192.168.1.120,192.168.1.130 ) I had an output of 15 matched output. What i have tried doing to get result is: | search NOT src IN ("10.161.5.5[0-3]", 10.161.10.20,192.168.1.120,192.168.1.130) Doing this lead to an increase in the matched query up to 30 results. Why was this happening and what can i do to prevent it. Any solutions?
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
03-13-2022
06:32 AM
|
