Solved: Re: Exclude Source IP and Destination IP from resu...

sarwshai · ‎06-29-2021

Hi There,

How do i Exclude Source IP and Destination IP from results if they belong to same private ip range? For e.g. in the results as shown below

src_ip	dest_ip	count
10.0.0.1	10.10.0.1	1
10.0.0.1	192.168.0.1	1

I need to exclude the first row in the statistics as they belong to same private ip range but want to keep the second row.

sarwshai · ‎06-29-2021

Well i tried this and it worked for me, thanks @ITWhisperer

.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr

View solution in original post

kamlesh_vaghela · ‎06-29-2021

@sarwshai

Can you please try this?

Here I have considered below IP ranges as private IP ranges.

Private IP addresses:

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

YOUR_SEARCH
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip	dest_ip	count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip	dest_ip	count

My Sample Search :

| makeresults | eval _raw="src_ip	dest_ip	count
10.0.0.1	10.10.0.1	1
10.0.0.1	192.168.0.1	1
10.0.0.1	10.10.0.1	1
10.0.0.1	10.10.0.1	1
172.16.0.0	172.31.255.255	1
192.168.0.0	192.168.255.255	1
10.0.0.1	10.10.0.1	1
" | multikv forceheader=1
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip	dest_ip	count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip	dest_ip	count

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

sarwshai · ‎06-29-2021

Well i tried this and it worked for me, thanks @ITWhisperer

.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr

ITWhisperer · ‎06-29-2021

Try something like:

| where NOT cidrmatch("10.0.0.0/8", src_ip) OR NOT cidrmatch("10.0.0.0/8", dest_ip)

sarwshai · ‎06-29-2021

No it doesn't work by this.

ITWhisperer · ‎06-29-2021

In what way?

sarwshai · ‎06-29-2021

I am still getting the same private ip range in the same rows

Exclude Source IP and Destination IP from results if they belong to same private ip range

eval

stats

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases