Hi. There are a few threads on here talking about this but I’m not 100% sure if there is an accepted solution, especially as a 3.0 landmark seems to have been dropped.
I have a CSV file that contains a long list of IP objects, a mixture of subnets and individual IP’s - a typical ‘IOC’ file generated by combining different format ‘bad IP’ feeds etc.
I’m trying to lookup an incoming stream of network logs against this to flag traffic to any flagged IP. This works perfectly when the object is a unique IP, but not when the entry is a subnet, where it is ignored (doesn’t match).
Is there an accepted way of dealing with this scenario? As Graylog is moving into the security space, being able to deal with subnet formated IOC’s would be a fairly key objective IMO.