In_private function not catching 172.30 addresses

I have the following pipeline rule (it filters more, but those have been removed to illustrate). My monitor is on the same subnet as some linode hosts with addresses, and they are being filtered as expected. Srcip for 172.30 addresses in my AWS VPC, however, are not being filtered.

What am I doing wrong? It should catch, right?

    rule "discard http monitors"
      has_field("srcip") && 

pretty sure you want:


Ahh. I’ll give that a try, thanks! Can you tell that I don’t do pipelines much?

in_private_net expects a string be passed to it. $message.srcip passes an object.

Do I have to use to_string($message.srcip), or is $srcip a string of the field already?

it would be in_private_net(to_string($message.srcip)) then.

when you are referencing the contents of a field, you need $message.<field> except in the case of has_field() which assumes the $message.


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.