- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search across all my data for any public IP...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to search across all my data for any public IP addresses?
Hello all,
I've been hoping to play around with some of the iplocation functionality and see if I could leverage it somehow, so I rooted around and found that most of my data is private addresses. That was to be expected, but as I dig around, I cannot seem to find any public addresses at all.
From there I thought it would be fairly simple to do a search across all my data for any public address, or at the very least any non-private (weed out the smaller set). It turns out that I cannot find an easy way of doing this. Regex sounds like it would be a good approach, but that alone as proven to be more complex than expected.
Since I'm looking to find a public IP in any location, which means I'm not specifying a source, sourcetype, or field. So I'm either using _raw with regex or index=* searches for IP addresses. Without regex, it becomes a bit of a bear because doing a NOT search without specifying a field (which I do not know) removes the whole event, which may also contain a public address.
I've found a couple regex online that match RFC 1918 addresses, but most use the /m flag in regex101 (m modifier: multi-line. Causes ^ and $ to match the begin/end of each line) which it looks like splunk does not use.
I'm currently using this:
index=*| regex _raw="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | search src_ip!=10.* src_ip!=127.* src_ip!=172.16.* src_ip!=::ffff:10* src_ip.!=::ffff:127.* src_ip!=::fff:172.16.*
Ideally I'd not have to specify a field, as I said previously, but my current approach is to pair down the data with specific qualifiers until I either find what I'm looking for or run out of data.
I very well may not have any public addresses in the data I'm using!
Any suggestions for this problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just adding to pgreer's answer
| makeresults
| eval ip_list="172.16.20.1,10.1.1.1,192.168.1.1,1.2.3.4,127.0.0.1,169.254.20.10"
| makemv ip_list delim=","
| mvexpand ip_list
| eval ip_type = case(match('ip_list',"172.(1[6-9].|2[0-9].|3[0-1].)[0-9]{1,3}.[0-9]{1,3}"),"1_private",match('ip_list',"(10.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"),"1_private",match('ip_list',"(192.168.[0-9]{1,3}.[0-9]{1,3})"),"1_private",match('ip_list',"(127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"),"3_loopback",match('ip_list',"(169.254.[0-9]{1,3}.[0-9]{1,3})"),"2_apipa",1=1,"0_public")
| sort ip_type ip_list
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks really nice!
How would I populate "ip_list" with output from my own "base search"? Or do some direct pipe to eval?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe the regex's below might help in being more specific to just public ranges?
"172.(1[6-9].|2[0-9].|3[0-1].)[0-9]{1,3}.[0-9]{1,3}"
"(10.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"
Maybe that might find some matches for your initial regex against _raw events.
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...
