I'm trying to search records where the destination IP is in a lookup table consisting of a list of cidr ranges, but the source IP is not in one of those ranges. This was my initial thought on how to do it.
index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip) AND !cidrmatch([| inputlookup IP_Ranges], srcip)
The lookup table is just a list of cidr ranges like
10.0.1.0/24
10.0.5.0/24
10.0.100.0/24
Any suggestions are greatly appreciated.
The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.
Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf
[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)
This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range
.
index=* | fields srcip dstip
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc
Now you have two new fields, src_match
and dst_match
which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".
This was very helpful, thanks
The problem is that the first argument for cidrmatch is not a list of subnets, it is a string. And I don't know if the string can contain multiple subnets.
Another way to do this is to use the lookup command. But for this to work, you need to make sure that the following options appear in your transforms.conf
[IP_Ranges]
min_matches = 1
default_match = NONE
match_type = CIDR(cidr_range)
This assumes that your lookup file has a header row (which it must) and that the field name in the header is cidr_range
.
index=* | fields srcip dstip
| lookup IP_Ranges cidr_range as srcip OUTPUT cidr_range as src_match
| where src_match != "NONE"
| lookup IP_Ranges cidr_range as dstip OUTPUT cidr_range as dst_match
| where dst_match != "NONE"
| etc
Now you have two new fields, src_match
and dst_match
which will contain all the subnets that matched the srcip and dstip, respectively. If an ip does not match any subnets, the field will contain the string "NONE".
HI,
I did exactly the same steps, but i am only getting NONE (default) for all the entries. I have checked and matches do exists on the csv file. Any pointers on why ip is not getting matched to CIDR and how can it be resolved?
Late to the show here, but I had the same issue. Found I had spaces at the end of my cidr_range values. If you copy/paste, make sure there are no leading/trailing spaces.
I'm trying to apply this query to a search of my Symantec logs and I'm having issues getting output to return the subnets that matched the src and dest IPs. My search is as follows:
index=symantec sourcetype=symantec:ep:risk:file action=allowed OR action=deferred AND Risk_Action="Virus found" | rename actual_action as "Action" dest as "Host" dest_ip as "Host IP" user as "User" Risk_Action as "Detection Type" signature as "Malware Name" | fields "Host IP"
| lookup ip_cidr cidr_range as "Host IP" OUTPUT cidr_range as ip_match
My lookup file has three other columns in addition to cidr_range. What I'd like to do is match the src or dest IP to the IP cidr and then pull the zone/firewall/context the user is associated with.
Would appreciate any help
Thx
A friend pointed this out, but this can be done without CLI access now. Perform the following:
1) Settings -> Lookups -> Lookup Definitions
2) Check the box for: "Advanced options"
3) Match type: CIDR([fieldname]) <-- fieldname is the field with the CIDR addresses in it
Then in your search:
... | lookup [fieldname] as src_ip OUTPUT site as src_site
Hi Lisa,
great thing.
Can this be done without transforms.conf?
I.E. just upload the csv and then do the lookup inline?
(Our users are 'of course' not allowed to modify Splunk configs)
Rgds,
Jens
How about mixed IPv4 and IPv6 CIDR matches
ip_range,info
192.168.1.0/24,foo
2001::1/48,bar
Thanks that hellped me a lot !
nicely done
Or just how should I go about matching the IP address from the cidr ranges?
index=* | fields srcip dstip | where cidrmatch([| inputlookup IP_Ranges], dstip)