cidr notation not working

hartfoml · ‎04-24-2014

I have more than 40 class B subnets in my geographically dispersed enterprise.

I would like to create a lookup for my companly subnets so that when I do searches on firewall and IDS data I can exclude or include company to and from IP's using the cidr notation for the Class B subnets. the reason I want to use Cidr is because I have a few superneted class B groups with a /14 cidr designation.

I have a search like this:

index=firewall action!=deny source_zone_name="Untrust" source_address!=X.X.0.0/16 OR source_address!=Y.Y.0.0/14 OR source_address!=Z.Z.0.0/16 | stats count by source_address

This search is not filtering out the subnets identified with the Cidr notation.

Do I have to do something special to get Splunk to recognize the notation?

martin_mueller · ‎04-24-2014

You can do this:

index=_internal sourcetype=splunk*access | where NOT cidrmatch("127.0.0.0/31",clientip)
index=_internal sourcetype=splunk*access | where NOT cidrmatch("127.0.0.0/32",clientip)

The first search filters out localhost's IP, the second doesn't.

In case of lookups, you'll want to set match_type = CIDR(...), see http://docs.splunk.com/Documentation/Splunk/6.0.3/admin/Transformsconf for reference. Then a lookup table like this would match localhost and add whitelisted=1 to the event:

cidr,whitelisted
127.0.0.0/31,1

cidr notation not working

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio