Subnet collection

splunkinmcsplun · ‎04-07-2014

I want to be able to find the most vulnerable subnet. I know how to verify if an ip is in a subnet by using the cirdmatch function, but I want to collect subnets into a transaction (or just a collection) and then be able to do a search on these subnets to find which one contains the most number of vulnerabilities.

Any help would be appreciated!

Lowell · ‎04-16-2014

If you have a small number of subnets, you could use a technique like this:

<Vulnerability search> ... | eval subnet=case(cidrmatch("10.0.0.0/24", ip), "Subnet 10.0.0.x",  cidrmatch("10.0.0.1/24", ip), "Subnet 10.0.1.x",  0==0, "Unknown subnet") | stats count by subnet

As long as <Vulnerability search> returns events with an ip field, this simple technique should work. As far as I know, there's no simple way to automatically group IPs into subnets without actually defining what size of each individual network.

If all of your networks are "/24"s, then you could do something trivial like:

<Vulnerability search> ... | eval subnet=replace(ip, "^(\d+\.\d+\.\d+\).\d+$", "\1.x") | stats count by subnet

But that's about as far as regex tricks will take you. 😞

BTW, if you have a large range of subnets, or want an approach that more generally reusable, then I'd recommend using lookups. See the answer Using CIDR in a lookup table for the specifics on how to set this up in a lookup file.

Ayn · ‎04-08-2014

First of all you need to be able to define what a subnet is...

Subnet collection

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life