I'm struggling with the following
I have a search that a returns all public IP address for which a connection was made on my Cisco ASA 5516-X firewall.
host="192.168.10.2" Built | rex "(?<ip1>\d+.\d+.\d+.\d+/)" max_match=0 | top limit=10000 ip1 | where NOT (ip1 LIKE "192.168.%.%")
I'd like to compare this list against the below blacklist
http://iplists.firehol.org/?ipset=firehol_level1
The primary problem i have is that the IP lists returned are signular and the blacklist is in CIDR notation. Is there a way to compare a list of single IPs to see if they match any entries within a CIDR notation?
Thanks
I haven't used it but there is a function for eval/where called cidrmatch - seems to do just that.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
cidrmatch("X",Y)
This function returns true, when an IP addresse Y belongs to a particular subnet X. The function uses two string arguments: the first is the CIDR subnet; the second is the IP address to match.
This example uses cidrmatch to set a field, isLocal, to "local" if the field ip matches the subnet, or "not local" if it does not:
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")
This example uses cidrmatch as a filter:
... | where cidrmatch("123.132.32.0/25", ip)