Dont execute pipeline rule for rfc1918 addresses

Hi, im getting started with Graylog and am starting to mess around with pipeline rules. My experience so far with Graylog is quite good, only thing im missing so far is a table dashboard widget to put firewall logs in.

I was looking at some examples on how to do an OTX lookup, got the indicator telling me if its true or false going, but im worried it also tries to look up local ip’s and I dont want to be spamming the lookup servers for this. How can I set up a rule so it doesnt run the lookup for rfc1918 addresses ?

copy pasted this from the graylog documentation and changed the fields:

rule “OTX Lookup: suricata_src_ip”
let intel = otx_lookup_ip(to_string($message.suricata_src_ip));
set_field(“suricata_threat_indicated”, intel.otx_threat_indicated);
set_field(“suricata_threat_ids”, intel.otx_threat_ids);
set_field(“suricata_threat_names”, intel.otx_threat_names);

I tried to do

has_field(“suricata_src_ip”) AND NOT cidr_match(“”, to_ip($message.gl2_remote_ip))

but this doesnt seem to work, thanks for any input!

  1. Try to check, if you have right “Message Processors Configuration” order in your graylog. Your Pipeline processor should be after Message Filter Chain in System/Configurations, because you try to use extracted fields in your pipeline rule.

  2. How do you extract field suricata_src_ip? Using extractor or pipeline rule? If pipeline rule, your pipeline rule stage priority should be higher than your extracting rule.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.