Network Grouping via tags

[Sean Engelbrecht]

Is it possible to tag networks based on CIDR blocks:

For Example

CIDR                        Tag

 192.168.1.0/26           TX_SALES

 192.168.1.64/26         CA_SALES

 192.168.1.128/25        UNASSIGNED

 192.168.2.0/24           DEVELOPMENT

 192.168.3.0/28           HR

 192.168.3.16/25         FL_SALES

That way a search could be done either by IP address, IP range or TAG. It would also give us the ability to tag an external/public IP address with a range of RFC 1918 Address space. 

Thanks

[Kevin Wilcox]

On 26 February 2013 12:41, Sean Engelbrecht <sean.eng...@gmail.com> wrote:

> For Example
> CIDR Tag
> 192.168.1.0/26 TX_SALES
> 192.168.1.64/26 CA_SALES
> 192.168.1.128/25 UNASSIGNED
> 192.168.2.0/24 DEVELOPMENT
> 192.168.3.0/28 HR
> 192.168.3.16/25 FL_SALES
>
> That way a search could be done either by IP address, IP range or TAG. It
> would also give us the ability to tag an external/public IP address with a
> range of RFC 1918 Address space.

Sean - what I've done is specify an IP range using (pseudo here) "ip >
192.168.1.0 and ip < 192.168.5.1", then save that as a macro that you
can reference in future searches; even though you aren't tagging at
the log level, you can use those macros at the search level.

kmw

[Chris Green]

Look at known subnets in the documentation 

http://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation

--

Chris Green

--
You received this message because you are subscribed to the Google Groups "enterprise-log-search-and-archive" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise-log-search-...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[Martin Holste]

Sure, you can do this with saved search macros.  So, for the TX_SALES macro, you would do this:

host>=192.168.1.0 host<=192.168.1.63 srcip>=192.168.1.0 srcip<=192.168.1.63 dstip>=192.168.1.0 dstip<=192.168.1.63

It doesn't matter if you get any results back, go to "Result options..." and choose "Save Search" and use the name TX_SALES.  Now, whenever you want to see those logs, you can do a search for your keyword (like Snort alert name, whatever) and then add $TX_SALES to the query, and it will use the macro to tack on those other filters to your search.

The other side of things is on reporting and output.  You can use the "whois" transform to provide local org data.  To do this, edit your /etc/elsa_web.conf file, go down to the area for "transforms," "whois," and "known_subnets" and fill out something along these lines:

"whois": {

  "known_subnets": {

    "192.168.1.0": {

      "end": "192.168.1.63",

      "org": "TX_SALES"

   },

   "known_orgs": {

     "TX_SALES": {

       "name": "TX_SALES",

       "org": "TX_SALES",

       "cc": "US",

       "country": "United States",

       "state": "TX",

       "city": "Sometown"

   }

 }

}

Now, whenever you pipe results through the whois plugin, you'll get fields for "customer" which match the field being searched, which shows up like "dstip.customer=TX_SALES."  This allows you to do proper reporting like this:

sig_msg:trojan groupby:srcip | whois | sum(srcip.customer)

--