Search and/or compare lists of IPs from a file

Hello,
I come again to ask for clarification from the most knowledgeable.
I ask for understanding if English is not understandable.
I’d like to do a trick, but I’m having a hard time how to approach it.

I have a file that contains a vast list of IPs:

1.0.151.101
1.0.161.206
1.0.164.241
1.0.167.14
1.0.169.199
1.0.170.91
… and passes a thousand lines …

When a log message arrives for processing, compare whether the “src_ip” field of that log is contained in this list. If contained, notify with alert.
I envision these steps:

— First step, would it be with “Lookup Tables”, bringing this data through a csv?

— Second step, a comparison pipeline?

— Third step, the alert based on a condition?

If possible, what would be the “best practices” for this case?
I’ll be grateful if you can give me a clue… Links to older posts, etc…
I looked in older posts but found nothing. Maybe I’m not using the correct search terms in the forum archives.

Every help is welcome.
Thanks!

You are on the right track.

Here is how I would do it.

Create a csv that has IP in first column and then “true” in the second column.

Then in the when section of your pipeline rule put something like

lookup_value(“lookuptablename”, to_string($message.fieldwithipaddress), “false”)==to_string(“true”)

This rule will now only run if a match is found in the lookup table, otherwise it returns false as the default value and the rule doesnt run.

In the then section just do a set_field that makes a field that is something like matchedtolist=true.

Then write an alert that is just searching for matchedtolist:true

Hopefully that all makes sense, let me know if it doesnt!

@Joel_Duffield
Thanks for the answer.
And your help was vital to succeed.
It took me a while to just try to understand the syntax.

I created the first step with “Lookup Table”;
In the second step (pipeline), I got it like this:

rule "ddos_dns_servers"
when
 //lookup_value("lookuptablename", to_string($message.fieldwithipaddress), "false")==to_string("true")
 lookup_value("ddos_dns_servers", to_string($message.src_ip), "false") == to_string("true")
then
 //In the then section just do a set_field that makes a field that is something like matchedtolist=true.
 set_field("test_DDoS", "ddos_dns_servers is true");
end

And so, I could see in the search that the field “test_DDoS” was created.

But, what if I wanted to be more daring. And create an “else”? Something like this:

... then
 set_field("test_DDoS", "ddos_dns_servers is true") else set_field("test_DDoS", "ddos_dns_servers is false");

Would it be possible?
Or do I need to create another stage denying the “true”?

So you could make another step, but if you want to record the yes AND no there is a simpler configuration. Redo your rule to have the when be something else (to decide when to run it) or set it to true so it always runs.

Then move your lookup_value into the then and store it as a variable and use that in the set field, it will return either what is in that second column or you default value on no match.

Let result = lookup_value(…

Set_field(“field”, to_string(result))

You could also use concat to add extra text if you want to be in that field.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.