Hi, im getting started with Graylog and am starting to mess around with pipeline rules. My experience so far with Graylog is quite good, only thing im missing so far is a table dashboard widget to put firewall logs in.
I was looking at some examples on how to do an OTX lookup, got the indicator telling me if its true or false going, but im worried it also tries to look up local ip’s and I dont want to be spamming the lookup servers for this. How can I set up a rule so it doesnt run the lookup for rfc1918 addresses ?
copy pasted this from the graylog documentation and changed the fields:
rule “OTX Lookup: suricata_src_ip”
when
has_field(“suricata_src_ip”)
then
let intel = otx_lookup_ip(to_string($message.suricata_src_ip));
set_field(“suricata_threat_indicated”, intel.otx_threat_indicated);
set_field(“suricata_threat_ids”, intel.otx_threat_ids);
set_field(“suricata_threat_names”, intel.otx_threat_names);
End
I tried to do
when
has_field(“suricata_src_ip”) AND NOT cidr_match(“10.10.10.0/24”, to_ip($message.gl2_remote_ip))
then
but this doesnt seem to work, thanks for any input!