In_private function not catching 172.30 addresses

I have the following pipeline rule (it filters more, but those have been removed to illustrate). My monitor is on the same subnet as some linode hosts with 192.16.0.0/16 addresses, and they are being filtered as expected. Srcip for 172.30 addresses in my AWS VPC, however, are not being filtered.

What am I doing wrong? It should catch 172.16.0.0/12, right?

    rule "discard http monitors"
    
    when
      has_field("srcip") && 
      (
      in_private_net("srcip")
      )
    then
      drop_message();
    end

pretty sure you want:

in_private_net($message.srcip)

Ahh. I’ll give that a try, thanks! Can you tell that I don’t do pipelines much?

in_private_net expects a string be passed to it. $message.srcip passes an object.

Do I have to use to_string($message.srcip), or is $srcip a string of the field already?

it would be in_private_net(to_string($message.srcip)) then.

when you are referencing the contents of a field, you need $message.<field> except in the case of has_field() which assumes the $message.

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.