Splunk Search

How to search on IP range and not IP subnet?

honey4sec
Explorer

Hi we currently consuming threat intelligence data and want to correlate this in Splunk in a good way.
The problem is that some of the feeds deliver IP addresses in the format of ip-ip and not ip/subnet.
How can i make Splunk look at ip-ip as individual IP addresses to match against our firewall logs?

0 Karma
1 Solution

ehudb
Contributor

Assuming your threat ip fields are ip range:
"192.168.1.1-192.168.1.100" means ALL IP addresses between the range: 192.168.1.1,2,3,...100

You can use the following:

index=firewall |table fwsrc
|append [index=threat |table threatip ]

|makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1)
|table fwsrc startip  endip
|eventstats values(startip) as startip values(endip)  as endip
|stats count by fwsrc startip endip
|eval isThreat = if(fwsrc>=startip AND fwsrc<=endip,"T","F")
|stats values(isThreat) as isThreat by fwsrc |eval isThreat=if(isThreat=="T","T","F")

Explanation:
|makemv threatip delim="-" will convert the range to multivalue field with start and end
mvindex will extract them to new fields
eventstats will spread the threat ranges across the entire table
(fwsrc>=startip) can decide if fwsrc is 'bigger' than startip, means all it's 4 parts are above or equal to the other ip.
(fwsrc>=endtip) works the same in the opposite side
|stats values and eval will finally show only the ip that detected as threat in one of the ranges.


Another working approach would be converting all the ranges to a where clause in subsearch:

index=firewall |table fwsrc
|where
[index=threat |table threatip |makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1) |table startip endip
|eval where="fwsrc>=\""+startip+"\" AND fwsrc<=\""+endip+"\""  |return 10000 $where]

The subsearch here assembles the table:

threatip
-----------
192.168.1.2-192.168.1.100
10.0.0.1-10.1.0.100

into a single line where clause:
(fwsrc>="192.168.1.2" AND fwsrc<="192.168.1.100") OR (fwsrc>="10.0.0.1" AND fwsrc<="10.0.0.100")

Then, the |where command is using this string to filter the results.

View solution in original post

0 Karma

ehudb
Contributor

Assuming your threat ip fields are ip range:
"192.168.1.1-192.168.1.100" means ALL IP addresses between the range: 192.168.1.1,2,3,...100

You can use the following:

index=firewall |table fwsrc
|append [index=threat |table threatip ]

|makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1)
|table fwsrc startip  endip
|eventstats values(startip) as startip values(endip)  as endip
|stats count by fwsrc startip endip
|eval isThreat = if(fwsrc>=startip AND fwsrc<=endip,"T","F")
|stats values(isThreat) as isThreat by fwsrc |eval isThreat=if(isThreat=="T","T","F")

Explanation:
|makemv threatip delim="-" will convert the range to multivalue field with start and end
mvindex will extract them to new fields
eventstats will spread the threat ranges across the entire table
(fwsrc>=startip) can decide if fwsrc is 'bigger' than startip, means all it's 4 parts are above or equal to the other ip.
(fwsrc>=endtip) works the same in the opposite side
|stats values and eval will finally show only the ip that detected as threat in one of the ranges.


Another working approach would be converting all the ranges to a where clause in subsearch:

index=firewall |table fwsrc
|where
[index=threat |table threatip |makemv threatip delim="-" |eval startip=mvindex(threatip,0) |eval endip=mvindex(threatip,1) |table startip endip
|eval where="fwsrc>=\""+startip+"\" AND fwsrc<=\""+endip+"\""  |return 10000 $where]

The subsearch here assembles the table:

threatip
-----------
192.168.1.2-192.168.1.100
10.0.0.1-10.1.0.100

into a single line where clause:
(fwsrc>="192.168.1.2" AND fwsrc<="192.168.1.100") OR (fwsrc>="10.0.0.1" AND fwsrc<="10.0.0.100")

Then, the |where command is using this string to filter the results.

0 Karma

ehudb
Contributor

Assuming the ip field looks like this:
"192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1"

You can convert it to multivalue field, and then expand to rows:
|makemv delim="-" ip |mvexpand ip

"192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1" ->
ip
192.168.1.1
192.168.1.2
192.168.1.3
10.0.0.1

Full example:
| makeresults count=1 |eval ip="192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1" |table ip
|makemv delim="-" ip |mvexpand ip

0 Karma

honey4sec
Explorer

The ip Field looks like this
192.168.3.35-192.168.3.47
I don't think think the answer apply to this.
But im not a splunk superman yet

0 Karma

ehudb
Contributor

Ok I understand the range is |fromip-toip"
I will post new answer according to this

0 Karma

ehudb
Contributor

What's the different from your example:
192.168.3.35-192.168.3.47

To my example:
192.168.1.1-192.168.1.2-192.168.1.3-10.0.0.1

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...