Splunk Enterprise

Check IPs on Blacklist in CIDR notaiton

toddbey2
New Member

I'm struggling with the following
I have a search that a returns all public IP address for which a connection was made on my Cisco ASA 5516-X firewall.
host="192.168.10.2" Built | rex "(?<ip1>\d+.\d+.\d+.\d+/)" max_match=0 | top limit=10000 ip1 | where NOT (ip1 LIKE "192.168.%.%")

I'd like to compare this list against the below blacklist
http://iplists.firehol.org/?ipset=firehol_level1

The primary problem i have is that the IP lists returned are signular and the blacklist is in CIDR notation. Is there a way to compare a list of single IPs to see if they match any entries within a CIDR notation?

Thanks

Tags (1)
0 Karma

maciep
Champion

I haven't used it but there is a function for eval/where called cidrmatch - seems to do just that.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

cidrmatch("X",Y)    

This function returns true, when an IP addresse Y belongs to a particular subnet X. The function uses two string arguments: the first is the CIDR subnet; the second is the IP address to match.    

This example uses cidrmatch to set a field, isLocal, to "local" if the field ip matches the subnet, or "not local" if it does not:
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")

This example uses cidrmatch as a filter:

... | where cidrmatch("123.132.32.0/25", ip)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...