In_private function not catching 172.30 addresses

knobbysideup · July 5, 2022, 3:15pm

I have the following pipeline rule (it filters more, but those have been removed to illustrate). My monitor is on the same subnet as some linode hosts with 192.16.0.0/16 addresses, and they are being filtered as expected. Srcip for 172.30 addresses in my AWS VPC, however, are not being filtered.

What am I doing wrong? It should catch 172.16.0.0/12, right?

    rule "discard http monitors"
    
    when
      has_field("srcip") && 
      (
      in_private_net("srcip")
      )
    then
      drop_message();
    end

tmacgbay · July 5, 2022, 3:43pm

pretty sure you want:

in_private_net($message.srcip)

knobbysideup · July 5, 2022, 3:49pm

Ahh. I’ll give that a try, thanks! Can you tell that I don’t do pipelines much?

knobbysideup · July 5, 2022, 3:54pm

in_private_net expects a string be passed to it. $message.srcip passes an object.

Do I have to use to_string($message.srcip), or is $srcip a string of the field already?

tmacgbay · July 5, 2022, 4:00pm

it would be in_private_net(to_string($message.srcip)) then.

when you are referencing the contents of a field, you need $message.<field> except in the case of has_field() which assumes the $message.

system · July 19, 2022, 4:01pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Stumped - Finding a function in rules Graylog Central (peer support) pipeline-rules	5	399	January 26, 2021
Exempting certain I.P Addresses Using Pipelines Graylog Central (peer support)	13	2527	December 21, 2017
Pipeline doesn't work Graylog Central (peer support) pipeline-rules , debuggingpl	5	1269	March 11, 2020
Part of stream logs to another server Graylog Central (peer support)	2	343	February 15, 2019
Testing Pipeline Effect on Stream Graylog Central (peer support) pipeline-rules	3	1312	October 25, 2017

In_private function not catching 172.30 addresses

Related Topics