Check IPs on Blacklist in CIDR notaiton

toddbey2 · ‎10-08-2015

I'm struggling with the following
I have a search that a returns all public IP address for which a connection was made on my Cisco ASA 5516-X firewall.
host="192.168.10.2" Built | rex "(?<ip1>\d+.\d+.\d+.\d+/)" max_match=0 | top limit=10000 ip1 | where NOT (ip1 LIKE "192.168.%.%")

I'd like to compare this list against the below blacklist
http://iplists.firehol.org/?ipset=firehol_level1

The primary problem i have is that the IP lists returned are signular and the blacklist is in CIDR notation. Is there a way to compare a list of single IPs to see if they match any entries within a CIDR notation?

Thanks

maciep · ‎10-09-2015

I haven't used it but there is a function for eval/where called cidrmatch - seems to do just that.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions

cidrmatch("X",Y)    

This function returns true, when an IP addresse Y belongs to a particular subnet X. The function uses two string arguments: the first is the CIDR subnet; the second is the IP address to match.    

This example uses cidrmatch to set a field, isLocal, to "local" if the field ip matches the subnet, or "not local" if it does not:
... | eval isLocal=if(cidrmatch("123.132.32.0/25",ip), "local", "not local")

This example uses cidrmatch as a filter:

... | where cidrmatch("123.132.32.0/25", ip)

Check IPs on Blacklist in CIDR notaiton

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!