Finding the correct scope of an IP address?

dersa · ‎02-06-2023

Hi, I am struggling with following task. I have a lookup file containing all the configured dhcp scopes in the following format.

ScopeId SubnetMask Name State StartRange EndRange LeaseDuration

In the dhcp.log i have the ip address for a client.

I need the ScopeID and the LeaseDuration for each client.

My idea is to look if the given IP Address is within StartRange and EndRange and get the ScopeID and LeaseDuration. My problem is I don't have a clue on how to do so.

Any Ideas?

thanks

Alex

bowesmana · ‎02-06-2023

Are you IP ranges CIDR ranges, if so, you can make a lookup definition based on that CSV with the CIDR range as a single field in the lookup. In the match advanced options for the lookup definition, set CIDR(range_field) where range_field in the field containing the CIDR range.

Then in your SPL do

<search>
| lookup dhcp_scopes range_field as ip

which will lookup ip against the CIDR range in the lookup

If you cannot do CIDR, then it becomes a little more complicated. You will have to work out if you can segregate your lookup rows into stem+range for groups of IP addresses. e.g.

base=10.1.8, start=1, end=63
base=10.1.8, start=128, end=192
base=10.2.8, start=1, end=63

You'll then need to break up the IP to make a match and the possibly get multiple results back. It's possible but a little fiddly.

dersa · ‎02-08-2023

Thanks,

I'll give it a shot.

Best regards

Alex

Finding the correct scope of an IP address?

lookup

rex

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases