I’ve created an extractor for in input that gets the source IP from httpd log entries. So now I have a field called source_ip_address.
Is there a way I can add an extra field based on the IP address to see if it’s a private IP - our internal range - or else classify it as external? The field would only have two values - Internal or External.
Many thanks.
You could write a pipeline rule for that and use a custom lookup table for your private IP range (or use the in_private_net() function from the Threat Intelligence plugin).
I had a look at lookup tables, but they seemed to be a bit OTT for what I’m trying to do.
I think I’ve go something working with regex and extractors -
Extractor 1 - Internal IP
^(?:10|127|172.(?:1[6-9]|2[0-9]|3[01])|192.168)…*
Replace with Internal, store in field ip_origin
Extractor 2 - External IP
^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!172.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31))(?<!127)(?<!^10)(?<!^0).([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!192.168)(?<!172.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)).([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!.255$)$
Replace with External, store in field ip_origin
This seems to be working.
Thanks for getting back to me though.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
