Subnet Search Query


(Ayoola Ayooluwa) #1

Hi guys, please whats the correct search query to search through subnets? I tried this and it didnt work:

src_ip : 10.0.0.0 TO 10.255.255.255.255
src_ip : (10.0.0.0 TO 10.255.255.255.255)
src_ip = 10.0.0.0 TO 10.255.255.255.255
src_ip = 10.0.0.0 - 10.255.255.255.255
src_ip : (10.0.0.0 - 10.255.255.255.255)

None of the above worked. Please help correct with the right search query.

Thanks


(Sachin) #2

Range filter works only for numeric fields and not for Strings.


(Ayoola Ayooluwa) #3

So do i have to remove the private i.p addresses one after the other? there should be a way to remove i.p address range on graylog i suppose.

Thanks


#4

just use wildcard operators, like src_ip:10.*
elasticsearch supports IP addresses as a data type and enables queries similar to what you described, but unfortunately graylog doesn’t recognise them as such (unlike dates and numbers) and writes them as text, so just like I said, use text operators like wildcard
there is workaround though, you can define custom index mapping with src_ip field as IP data type


(Ayoola Ayooluwa) #5

Yea, Thanks Maniel; this worked fine

src_ip:10.

What if i want to search for something like this?

( src_ip!=10.) AND ( src_ip!=172.) AND ( src_ip!=192.). I tried it and it didnt work. Please help me out.


#6

Elasticsearch negations should look like !(something), like !(src_ip:10.*) or NOT (src_ip:10.*), so query like !(src_ip:10.*) AND NOT (src_ip:172.*) AND NOT (src_ip:192.*) should work in theory


(Ayoola Ayooluwa) #7

Please help correct the code below: It didnt work out…Thanks

rule "Allowed Firewall Inbound"
when
has_field (“NOT IP:10.* AND NOT IP:192.168.* AND NOT IP:172.16.* AND categoryOutcome=Success AND NOT IP:172.17.* AND NOT IP:172.18.* AND NOT IP:172.19.* AND NOT IP:172.20.* AND NOT IP:172.21.* AND NOT IP:172.22.* AND NOT IP:172.23.* AND NOT IP:172.24.* AND NOT IP:172.25.* AND NOT IP:172.26.* AND NOT IP:172.27.* AND NOT IP:172.28.* AND NOT IP:172.29.* AND NOT IP:172.30.* AND NOT IP:172.31.*”)
then

let Name_join = concat(to_string($message.IP), " ------> “);
let Name_ID = concat(Name_join,to_string($message.src_port));
let Name_ID2 = concat(Name_ID, (”---------->"));
let Name_ID3 = concat(Name_ID2,to_string($message.Firewall_DestinationIP));
let Name_ID4 = concat(Name_ID3, ("---------->"));
let Name_ID5 = concat(Name_ID4,to_string($message.dst_port));
let Name_ID6 = concat(Name_ID5, ("---------->"));
let Name_ID7 = concat(Name_ID6, to_string($message.categoryOutcome));

set_field(field:“FW_route”, value: Name_ID);
end


#8

has_field checks if field with given name exists, and “NOT IP:10.* AND NOT IP:192.168.* AND NOT IP:172.16.* AND categoryOutcome=Success AND NOT IP:172.17.* AND NOT IP:172.18.* AND NOT IP:172.19.* AND NOT IP:172.20.* AND NOT IP:172.21.* AND NOT IP:172.22.* AND NOT IP:172.23.* AND NOT IP:172.24.* AND NOT IP:172.25.* AND NOT IP:172.26.* AND NOT IP:172.27.* AND NOT IP:172.28.* AND NOT IP:172.29.* AND NOT IP:172.30.* AND NOT IP:172.31.*” clearly isn’t name of the field, right? try to use $message.field notation in when clause, in pipelines you can use java like operators and pipeline functions like !contains(to_string($message.ip),"10.") || !contains(to_string($message.ip),"192.168") etc, or just use regexp matching


(Ayoola Ayooluwa) #9

Regular expression match wouldn’t work in rules…i actually need to put that in rules…can u give me a simpler or more suitable one that would run perfectly


#10

according to this thread:


you can use regex in when clause:

when
  has_field("ip") && regex("ip matching regex", to_string($message.ip)).matches == false &&
  has_field("categoryOutcome") && to_string($message.categoryOutcome) == "Success"
then
  // do something
end

regex in your case would look something like this ^(192\.|10\.|172\.(1[6-9]|2[0-9]|3[0-1]))


(Jochen) #11

In the processing pipeline you could use the cidr_match() function instead and I’d recommend to do that.


(Ayoola Ayooluwa) #12

How do i go about using the cidr_match() for multiple subnets. I would appreciate an example.

Thanks.


(Jochen) #13

See https://github.com/Graylog2/graylog-plugin-pipeline-processor/blob/2.3.2/plugin/src/test/resources/org/graylog/plugins/pipelineprocessor/functions/ipMatching.txt for an example.


(Ayoola Ayooluwa) #14

Hi J, this is what’s in the link u sent:

rule "ip handling"
when
    cidr_match("192.0.0.0/8", to_ip("192.168.1.50")) &&
    ! cidr_match("191.0.0.0/8", to_ip("192.168.1.50"))
then
    set_field("ip_anon", to_string(to_ip($message.ip).anonymized));
    set_field("ipv6_anon", to_string(to_ip("2001:db8::1").anonymized));
    trigger_test();
end

The question is: where do i specify the field where i want it to fetch the cidr match from?


(Jochen) #15

Wherever you like.

In general, you can access message fields using the following construct:

$message.field_name

(Ayoola Ayooluwa) #16

Please help correct this, it aint showing any errors but it still giving me private addresses.

rule "Allowed Firewall Inbound"
when
 
!contains(to_string($message.IP),"10.*") AND !contains(to_string($message.IP),"192.168.") AND !contains(to_string($message.IP),"172.16.") AND !contains(to_string($message.IP),"172.17.") AND !contains(to_string($message.IP),"172.18.") AND !contains(to_string($message.IP),"172.19.") AND !contains(to_string($message.IP),"172.20.") AND !contains(to_string($message.IP),"172.21.") AND !contains(to_string($message.IP),"172.22.") AND !contains(to_string($message.IP),"172.23.") AND !contains(to_string($message.IP),"172.24.") AND !contains(to_string($message.IP),"172.25.") AND !contains(to_string($message.IP),"172.26.") AND !contains(to_string($message.IP),"172.27.") AND
!contains(to_string($message.IP),"172.28.") AND !contains(to_string($message.IP),"172.29.") AND
!contains(to_string($message.IP),"172.30.") AND !contains(to_string($message.IP),"172.31.")


       then
 
let Name_join = concat(to_string($message.IP), "  ------>  ");
let Name_ID = concat(Name_join,to_string($message.src_port));
let Name_ID2 = concat(Name_ID, ("---------->"));
let Name_ID3 = concat(Name_ID2,to_string($message.Firewall_DestinationIP));
let Name_ID4 = concat(Name_ID3, ("---------->"));
let Name_ID5 = concat(Name_ID4,to_string($message.dst_port));
let Name_ID6 = concat(Name_ID5, ("---------->"));
let Name_ID7 = concat(Name_ID6, to_string($message.categoryOutcome));


set_field(field:"FW_route", value: Name_ID7);
end

(Ayoola Ayooluwa) #17

Hi J, could u give an example. Lets assume my source i.p’s field is in “src_ip”. How do u use the $message.field_name with the code below to filter out private addresses and set a new field.

rule "ip handling"
when
cidr_match(“192.0.0.0/8”, to_ip(“192.168.1.50”)) &&
! cidr_match(“191.0.0.0/8”, to_ip(“192.168.1.50”))
then
set_field(“ip_anon”, to_string(to_ip($message.ip).anonymized));
set_field(“ipv6_anon”, to_string(to_ip(“2001:db8::1”).anonymized));
trigger_test();
end.

And do i add the anonymized u added. And what function does it perform.

Thanks.


(Jochen) #18

You can access the field with $message.src_ip and convert it to an IP address with to_ip($message.src_ip).

It “anonymizes” the IP address by zeroing out the last octet.


(Ayoola Ayooluwa) #19

R u saying the code u posted would now look like dis? : after i substitute my src_ip??

rule "ip handling"
when
cidr_match(“192.0.0.0/8”, to_ip(“192.168.1.50”)) &&
! cidr_match(“191.0.0.0/8”, to_ip(“192.168.1.50”))
then
set_field(“ip_anon”, to_string(to_ip($message.src_ip).anonymized))
trigger_test();
end

  1. what function is this please and what does it do?
    trigger_test();
  2. what does this also do? cidr_match(“192.0.0.0/8”, to_ip(“192.168.1.50”)) &&
    because what i want to do is get inbound events by removing private i.p addresses from the source_ipz

Thanks


(Jochen) #20

This triggers the test run. :wink:

You don’t need this in your own rules. It’s just for the unit tests in the processing pipeline plugin.

It’s a function call to cidr_match() and to_ip(). If you want to know something else, you have to be more specific.