Solved: Determining if a CIDR Block is completely containe...

BearMormont · ‎03-20-2018

I'm looking for a way to take a CIDR range in the format x.x.x.x/x and tell if it is completely enclosed within one of the private CIDR ranges (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16).

I'd like to be able to evaluate the CIDR block and ensure all of it's IPs fall into the private range. For example, I have an event that has a CIDR_Value field and that value is 172.31.0.0/24. That range of IPs should be completely within the private 172.16.0.0/12 CIDR block. I'm looking for a way to evaluate that as true or false.

I read up on cidrmatch but that relies on you feeding in an IP and a CIDR block, not two CIDR blocks.

Any suggestions would be greatly appreciated.

BearMormont · ‎03-22-2018

This is what I decided to use though I can't be sure if it is correct or not. If anyone has a better solution I will change the answer.

 | ...
 | rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
 | eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
 |...

View solution in original post

BearMormont · ‎03-22-2018

This is what I decided to use though I can't be sure if it is correct or not. If anyone has a better solution I will change the answer.

 | ...
 | rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
 | eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
 |...

BearMormont · ‎03-21-2018

This is sort of what I have now, but I don't know if the logic is sound or if is a chance it will intepret the data incorrectly. If someone could look it over and let me know what they think I'd appreciate it:

| ...
| rex field=cidr_field "(?<oct1>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct2>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct3>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)\.(?<oct4>25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)($|\/(?<mask>3[0-2]|2\d|1\d|\d))?"
| eval NetType = if((oct1==10) AND (mask>=8),"Private",if((oct1==172) AND (oct2>=16) AND (mask>=12),"Private",if((oct1==192) AND (oct2==168) AND (mask>=16),"Private","Public")))
|...

Determining if a CIDR Block is completely contained in another

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!