how to make rule with few ip addreses in srcip?

[Mefisto Evil]

hello looks like <srcip> tag is for one ip address. how can i add for example 10 ip addreses in one line if i monitoring events from pool of ip addreses? or should i add 10 tags

<srcip> for that? i want something like <srcip> 192.168.1.1, 192.168.1.2, 192.168.1.3 </srcip>

not

<srcip> 192.168.1.1 </srcip>

<srcip> 192.168.1.2</srcip>

<srcip> 192.168.1.3</srcip>

didnt find anything about it in documentation..

[Devender Rao]

Hi ,

Thanks For using Wazuh! 

You can use IP subnets(CIDR Block )  like <srcip> 192.168.1.1/24 </srcip>  to use more IP addresses. 

Reference:- 
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#srcip

I hope it helps. Please let us know if you have any further queries here.

Regards,
Devender

[Mefisto Evil]

Devender Rao

thank you this helps but what if i need not CIDR block? for example 192.168.1.1 192.168.10 192.168.110.5 192.168.10.15 i need to make <srcip> for every ip? or could all this ip in one tag <srcip> ?

среда, 26 апреля 2023 г. в 10:32:46 UTC+5, Devender Rao:

[Devender Rao]

Hi ,

The Rule syntax supports any IP address or CIDR block to an IP decoded as srcip , you can use <srcip> tag multiple times in the same rule and the resulting value is their concatenation.
There is no other way to add these IP addresses, as these fields do not support regex or other formats. 

You can check the documentation for the same.

Reference:-
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#srcip

I hope it helps. Please let us know if you have any further queries here.

Regards,
Devende