Can i match the messages only contain non rfc 1918 messages


(Naggappan) #1

Hi I get a json logs and one field called “full_messages” contains a value like “[groupId=sg-06742ea4a25ef45df, ipPermissions={items=[{ipProtocol=tcp, fromPort=8080, toPort=8080, groups={}, ipRanges={items=[{cidrIp=192.168.0.0/32}]}, ipv6Ranges={}, prefixListIds={}}]}]”

Now from this is it possible to filter only the fields which contain specific ip address range? like non rfc 1918 ip’s only I want

I saw the regx for non rfc ip as for java ‘(^127\.0\.0\.1)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)’ but this works only if i have a ip address or subnet here the message contains a lot more info along with subnet cidr


(Philipp Ruland) #2

Yes, this is perfectly possible. Extract the IP into it’s own field (or to a variable in a pipeline rule if you do not want to store it seperately) and use the in_private_net(ip_address) : Boolean pipeline function provided by the Threat Intelligence plugin that is bundled with Graylog.

Another possibility would be to use the cidr_match(cidr: string, ip: IpAddress) function built into Graylog to check every RFC1918 and further IP blocks you want to drop messages on.

Greetings,
Philipp


(Naggappan) #3

Hi i am not getting like what you mean by cidr_match where I should put it? I found another option called grok pattern for a filed in messages but I am not able to get a pattern to filter rfc_1918. I can actually filter all IP address only from a string using pattern “(?:%{IPV6}|%{IPV4})” . I don’t want ipv6 just ipv4 non_RFC 1918 is required


(system) closed #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.