Check IPs on Blacklist in CIDR notaiton

toddbey2 · ‎10-08-2015

I'm struggling with the following
I have a search that a returns all public IP address for which a connection was made on my Cisco ASA 5516-X firewall.
host="192.168.10.2" Built | rex "(?<ip1>\d+.\d+.\d+.\d+/)" max_match=0 | top limit=10000 ip1 | where NOT (ip1 LIKE "192.168.%.%")

I'd like to compare this list against the below blacklist
http://iplists.firehol.org/?ipset=firehol_level1

The primary problem i have is that the IP lists returned are signular and the blacklist is in CIDR notation. Is there a way to compare a list of single IPs to see if they match any entries within a CIDR notation?

Thanks

maciep · ‎10-09-2015

I haven't used it but there is a function for eval/where called cidrmatch - seems to do just that.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

cidrmatch("X",Y)    

This function returns true, when an IP addresse Y belongs to a particular subnet X. The function uses two string arguments: the first is the CIDR subnet; the second is the IP address to match.    

This example uses cidrmatch to set a field, isLocal, to "local" if the field ip matches the subnet, or "not local" if it does not:
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")

This example uses cidrmatch as a filter:

... | where cidrmatch("123.132.32.0/25", ip)

Check IPs on Blacklist in CIDR notaiton

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!