Highlighted
sharfuddin2 Absent Member.
Absent Member.
1272 views

syntax to search the events where Source IP is public ?

how can i search the events where Source IP is public ?

e.g
    
((pn:"Cisco Firewall") AND (sip:"8.8.8.8"))

works but returns the result where source IP is 8.8.8.8 strictly. Our requirement is to search for all those events where source IP is public/external.
0 Likes
6 Replies
rochfo Super Contributor.
Super Contributor.

Re: syntax to search the events where Source IP is public ?

sharfuddin;2458034 wrote:
how can i search the events where Source IP is public ?

e.g
    
((pn:"Cisco Firewall") AND (sip:"8.8.8.8"))

works but returns the result where source IP is 8.8.8.8 strictly. Our requirement is to search for all those events where source IP is public/external.


I do this but I just use the RFC1918 addresses and use a NOT

(pn:"Cisco Firewall") NOT ((sip:"10.*.*.*" OR sip:"192.168.*.*" OR sip:"172.16.*.*"))
0 Likes
sharfuddin2 Absent Member.
Absent Member.

Re: syntax to search the events where Source IP is public ?

Thanks it helped. 😉
0 Likes
brandon-langley Absent Member.
Absent Member.

Re: syntax to search the events where Source IP is public ?

rochfordp;2458037 wrote:
I do this but I just use the RFC1918 addresses and use a NOT

(pn:"Cisco Firewall") NOT ((sip:"10.*.*.*" OR sip:"192.168.*.*" OR sip:"172.16.*.*"))


You can also match subnets or NOT them as well using CIDR format, which makes the match a bit more precise. Also, I included the IPV6 private range in the exclusions. (fc00::/7 is arguable)

(pn:"Cisco Firewall") NOT ((sip:"10.0.0.0/8" OR sip:"192.168.0.0/16" OR sip:"172.16.0.0/12" OR sip:"fd00::/8"))

https://www.netiq.com/documentation/sentinel-80/s80_user/data/bvh6qr3.html
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: syntax to search the events where Source IP is public ?

On 23.05.2017 11:54, sharfuddin wrote:
>
> how can i search the events where Source IP is public ?
>
> e.g
> Code:
> --------------------
>
> ((pn:"Cisco Firewall") AND (sip:"8.8.8.8"))
>
> --------------------
>
> works but returns the result where source IP is 8.8.8.8 strictly. Our
> requirement is to search for all those events where source IP is
> public/external.
>
>


What I've done at several customers is setup an IP Range map with the
internal ip blocks used by the customer and mapped that to custom
Source-/TargetHostZone fields.

In a Lucene filter you can then use
pn:"Cisco Firewall" NOT notnull:cvNN

ie. SourcHostZone is null which means SourceIP was not in any of the
blocks considered private or internal.

--
Norbert
0 Likes
rochfo Super Contributor.
Super Contributor.

Re: syntax to search the events where Source IP is public ?

klasen;2458140 wrote:
On 23.05.2017 11:54, sharfuddin wrote:
>
> how can i search the events where Source IP is public ?
>
> e.g
> Code:
> --------------------
>
> ((pn:"Cisco Firewall") AND (sip:"8.8.8.8"))
>
> --------------------
>
> works but returns the result where source IP is 8.8.8.8 strictly. Our
> requirement is to search for all those events where source IP is
> public/external.
>
>


What I've done at several customers is setup an IP Range map with the
internal ip blocks used by the customer and mapped that to custom
Source-/TargetHostZone fields.

In a Lucene filter you can then use
pn:"Cisco Firewall" NOT notnull:cvNN

ie. SourcHostZone is null which means SourceIP was not in any of the
blocks considered private or internal.

--
Norbert


Hi Norbert,

Interested to find out how you set up that IP Range map. Can you share how you did it?
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: syntax to search the events where Source IP is public ?

On 24.05.2017 12:14, rochfordp wrote:
>
> klasen;2458140 Wrote:
>> On 23.05.2017 11:54, sharfuddin wrote:
>>>
>>> how can i search the events where Source IP is public ?
>>>
>>> e.g
>>> Code:
>>> --------------------
>>>
>>> ((pn:"Cisco Firewall") AND (sip:"8.8.8.8"))
>>>
>>> --------------------
>>>
>>> works but returns the result where source IP is 8.8.8.8 strictly. Our
>>> requirement is to search for all those events where source IP is
>>> public/external.
>>>
>>>

>>
>> What I've done at several customers is setup an IP Range map with the
>> internal ip blocks used by the customer and mapped that to custom
>> Source-/TargetHostZone fields.
>>
>> In a Lucene filter you can then use
>> pn:"Cisco Firewall" NOT notnull:cvNN
>>
>> ie. SourcHostZone is null which means SourceIP was not in any of the
>> blocks considered private or internal.
>>
>> --
>> Norbert

>
> Hi Norbert,
>
> Interested to find out how you set up that IP Range map. Can you share
> how you did it?


Pre Sentinel 7.1.0.1 you had to convert IP addresses to a decimal
format:
https://www.netiq.com/communities/cool-solutions/cool_tools/ip-range-map-calculator/
Now you can directly enter CIDR values into range maps
(https://www.netiq.com/documentation/sentinel71/s7101_readme/data/s7101_readme.html#b16k5foh)
More information on range maps can be found at
https://www.netiq.com/documentation/sentinel-80/s80_admin/data/bhjll32.html




--
Norbert
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.