Split Field into Categories - ie Internal and External IP Addresses

I’ve created an extractor for in input that gets the source IP from httpd log entries. So now I have a field called source_ip_address.

Is there a way I can add an extra field based on the IP address to see if it’s a private IP - our internal range - or else classify it as external? The field would only have two values - Internal or External.

Many thanks.

You could write a pipeline rule for that and use a custom lookup table for your private IP range (or use the in_private_net() function from the Threat Intelligence plugin).

I had a look at lookup tables, but they seemed to be a bit OTT for what I’m trying to do.

I think I’ve go something working with regex and extractors -

Extractor 1 - Internal IP

^(?:10|127|172.(?:1[6-9]|2[0-9]|3[01])|192.168)…*

Replace with Internal, store in field ip_origin

Extractor 2 - External IP

^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!172.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31))(?<!127)(?<!^10)(?<!^0).([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!192.168)(?<!172.(16|17|18|19|20|21|22|23|24|25|26|27|28|29|30|31)).([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]).([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(?<!.255$)$

Replace with External, store in field ip_origin

This seems to be working.

Thanks for getting back to me though.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.