Exempting certain I.P Addresses Using Pipelines


(Ayoola Ayooluwa) #1

Hi guys, please what’s the exact syntax if i want to remove a certain i.p address using pipelines.

e.g

when
src_ip != 10.10.10.255
then
set_field ();
end


(Jochen) #2

You can access message fields (e. g. “src_ip”) with $message.src_ip and drop messages with drop_message().


(Ayoola Ayooluwa) #3

Can u help combine both $message.src_ip and drop_message() under a “when” condition?

Thanks


(Jochen) #4

You can find some examples at http://docs.graylog.org/en/2.3/pages/pipelines/rules.html#rule-structure

Do you have a specific problem with creating the rule?


(Ayoola Ayooluwa) #5

i have used the $message.src_ip in many pipeline rules and it worked fine…just need the syntax for combining both $message.src_ip and drop_message() to exclude a particular source i.p address.


(Jochen) #6

You would check the “src_ip” field in the when block and drop the message in the then block.


(Ayoola Ayooluwa) #7

Okay Okay, something like this:

rule "use"
when
has_field(“src_ip”)

then
drop_message(“10.10.10.255”)
setfield()
end


(Jan Doberstein) #8

more like

rule "use"
when
  has_field("src_ip") AND $message.src_ip == "10.10.10.255"
then
  drop_message()
end

(Ayoola Ayooluwa) #9

Thanks J, It worked. I appreciate


(Ayoola Ayooluwa) #10
rule "Proxy Top Users and Category"
when
is_not_null("EMAILLOCALPART") && has_field("Proxy_Category")

then
let Name_join = concat(to_string($message.EMAILLOCALPART), "  ------>  ");
let Name_ID = concat(Name_join,to_string($message.Proxy_Category));

set_field(field:"Proxy_Names", value: Name_ID);
end

I still get empty fields appear as some of my email_users even though i used the “is_not_null”. What am I getting wrong please.

Thanks


(Jochen) #11

Please consider subscribing to professional support if you require individual and detailed help in your setup.


(Ayoola Ayooluwa) #12

Thanks…i have fixed it already using the rule below:

rule "Proxy Top Users and Category"
when
is_not_null(message.EMAILLOCALPART) && has_field("Proxy_Category")

then
let Name_join = concat(to_string($message.EMAILLOCALPART), " ------> ");
let Name_ID = concat(Name_join,to_string($message.Proxy_Category)); set_field(field:"Proxy_Names", value: Name_ID);
end

(Ayoola Ayooluwa) #13

Good day, pls i need a quick fix on this because it isnt fetching nothing.

rule "FW_Outbound2"

when
   ( $message.IP == "10.*" OR $message.IP == "172.16.*" OR $message.IP == "172.17.*" OR $message.IP == "172.18.*" OR $message.IP == "172.19.*" OR $message.IP == "172.2O.*" OR $message.IP == "172.21.*"
	OR $message.IP == "172.22.*" OR $message.IP == "172.23.*" OR $message.IP == "172.24.*" OR $message.IP == "172.25.*" OR $message.IP == "172.26.*" OR $message.IP == "172.27.*"
	OR $message.IP == "172.28.*" OR $message.IP == "172.29.*" OR $message.IP == "172.30.*" OR $message.IP == "172.31.*" 
	OR $message.IP == "192.168.*") AND $message.Firewall_DestinationIP != "4.2.2.2" AND $message.Firewall_DestinationIP != "8.8.8.8" AND $message.Firewall_DestinationIP != "255.255.255.255"
	AND $message.Firewall_DestinationIP != "10.10.2.255" 
    
then
    let Name_join = concat(to_string($message.timestamp), "  ------>  ");
    let Name_ID = concat(Name_join,to_string($message.IP));
    let Name_ID2 = concat(Name_ID, ("---------->"));
    let Name_ID3 = concat(Name_ID2,to_string($message.Firewall_DestinationIP));
    let Name_ID4 = concat(Name_ID3, ("---------->"));
    let Name_ID5 = concat(Name_ID4,to_string($message.dst_port));
    let Name_ID6 = concat(Name_ID5, ("---------->"));
    let Name_ID7 = concat(Name_ID6,to_string($message.categoryOutcome));

set_field(field:"FW_OutboundS", value: Name_ID7);

end

Thanks.


(system) #14

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.