192.168.: Matches 192.168.0.0 - 192.168.255.255
172.16.19.: Matches 172.16.19.0 - 172.16.19.255
10.1.1.1: Matches 10.1.1.1
192.168.: RFC 1918 Address space
172.16.:RFC 1918 Address space
172.17.:RFC 1918 Address space
172.18.:RFC 1918 Address space
172.19.:RFC 1918 Address space
172.20.:RFC 1918 Address space
172.21.:RFC 1918 Address space
172.22.:RFC 1918 Address space
172.23.:RFC 1918 Address space
172.24.:RFC 1918 Address space
172.25.:RFC 1918 Address space
172.26.:RFC 1918 Address space
172.27.:RFC 1918 Address space
172.28.:RFC 1918 Address space
172.29.:RFC 1918 Address space
172.30.:RFC 1918 Address space
172.31.:RFC 1918 Address space
10.:RFC 1918 Address space
192.168.: Matches 192.168.0.0 - 192.168.255.255
172.16.19.: Matches 172.16.19.0 - 172.16.19.255
10.1.1.1: Matches 10.1.1.1172.: Matches 172.16.0.0 - 172.31.255.255
172.16.: Matches 172.16.0.0 - 172.16.255.255
172.17.: Matches 172.17.0.0 - 172.17.255.255
...
Hello prithvisagar.rao,
The Wazuh CDB lists have the “key:value” format so everything you write after the colon is going to be the value of your key.
If you use “172.” as your key it will match for every IP from 172.0.0.0 to 172.255.255.255 even if you try to specify a different range in the value.
To accomplish what you were trying to you need to specify each subnet as you suggested with the second option. You don’t even need to specify a value if you are not going to use it, your list could look like the following one:
172.16.:
172.17.:
172.18.:
172.19.:
...You may check how to create, compile and use a CDB list with Wazuh here: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html?
Regards.