Subnet Mask in Discover's filter

[joh nte]

Hi,

I would like to know if there's a way to add subnet mask on Wazuh's Discover cause i want to filter out the Non-Routable Address Space from a search.

I've tried, for example, to add the filter:
data.srcip is not one of 10.0.0.0/8 or 192.168.0.0/16

but it doesn't seems to work!.

Is it even possibile?

Thanks,

Giovanni

[Federico Gustavo Galland]

Hi there,

There is no subnet mask filters that I'm aware of, but you can perform a simple query with regex such as the following too look for a particular subnet:

{
  "query": {
    "regexp": {
      "data.srcip": "192.168.<0-255>.<0-255>"
    }
  }
}

The example above is equivalent to: 192.168.0.0/16

Let us know if this helped.

Regards,

Federico

[joh nte]

Hi Federico,
thanks for the reply!

unfortunately it doesn't seems to work, in fact, in my dashboard, i still visualize all te events containing non-routable address.

for example, if i set this query to exlude results, they're still visible:

{
  "query": {
    "match_phrase": {
      "data.srcip": "10.<0-255>.<0-255>.<0-255>"
    }
  }
}

[Federico Gustavo Galland]

Hi Joh,

In your quoted query, you are using "match_phrase" instead of "regexp". Make sure to check that out.

Regards,

Federico

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/09z6Ga1mZr0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/56905dac-8d7e-4fad-a5f4-4dcdff72e964n%40googlegroups.com.

--

Federico Galland Pre-sales Engineer +1 (844) 349 2984 wazuh.com federico...@wazuh.com f-galland