IPv6 Address range in CDB List
50 views
Skip to first unread message
Paul
Oct 16, 2025, 5:24:03 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi,
I have tried to implement IPv6 address ranges in my CDB list by using the format below
"2a00:23c8:"
However my rule that refers to the list is still triggering with IPv6 addresses beginning with
2a00:23c8:
I have to input the full IPv6 address for the rule to stop triggering.
Am i using this correctly ?
Does anyone know of a resolve ?
Many Thanks
Paul
Message has been deleted
jorge....@wazuh.com
Oct 16, 2025, 7:14:35 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hello Paul,
From what I understand, you created a Negative Key Match configuration using the IP address 2a00:23c8:, but despite that, the rule is still triggering.
Am I correct?
I'm investigating if that is the case to verify whether the syntax for specifying the range is correct.
When you have a chance, could you confirm whether the error is that or not?
From what I understand, you created a Negative Key Match configuration using the IP address 2a00:23c8:, but despite that, the rule is still triggering.
Am I correct?
I'm investigating if that is the case to verify whether the syntax for specifying the range is correct.
When you have a chance, could you confirm whether the error is that or not?
Paul
Oct 16, 2025, 9:48:25 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi Jorge,
Thankyou for getting back so quickly, Yes that is the case. The rule reads as follows:
<rule id="100002" level="12" frequency="2" timeframe="60" ignore="60">
<if_matched_sid>91545</if_matched_sid>
<field name="office365.organizationId">Microsoft365TeanantID</field>
<field name="office365.Operation">UserLoggedIn</field>
<field name="office365.UserType">0</field>
<list field="office365.ClientIP" lookup="not_address_match_key">etc/lists/ipcomms</list>
<description>IP-Comms User login from non authorized device or country (Not in whitelist)</description>
</rule>
<if_matched_sid>91545</if_matched_sid>
<field name="office365.organizationId">Microsoft365TeanantID</field>
<field name="office365.Operation">UserLoggedIn</field>
<field name="office365.UserType">0</field>
<list field="office365.ClientIP" lookup="not_address_match_key">etc/lists/ipcomms</list>
<description>IP-Comms User login from non authorized device or country (Not in whitelist)</description>
</rule>
Many Thanks
Paul
jorge....@wazuh.com
Oct 16, 2025, 9:56:49 AM (3 days ago) Oct 16
to Wazuh | Mailing List
Hello Paul,
I have confirmed with my colleagues that there is no way to use an IPv6 range, so you would need to specify the exact IPs.
This is because it uses the dot (.) as a mask indicator to compare ranges, so only IPv4 range addresses are supported.
I have confirmed with my colleagues that there is no way to use an IPv6 range, so you would need to specify the exact IPs.
This is because it uses the dot (.) as a mask indicator to compare ranges, so only IPv4 range addresses are supported.
Paul
Oct 16, 2025, 3:21:15 PM (3 days ago) Oct 16
to Wazuh | Mailing List
Hi Jorge,
Thanks for confirming this. Is this something that is in the roadmap as IPv6 is quite prevalant in the UK with some of the bigger ISP's currently using it.
Many Thanks
jorge....@wazuh.com
Oct 17, 2025, 5:49:42 AM (2 days ago) Oct 17
to Wazuh | Mailing List
Hi Paul,
I have talked with my colleagues to know if we have it in the roadmap, they have confirmed me that right now it is not in the roadmap, but they will study it and maybe add it for a future release.
I have talked with my colleagues to know if we have it in the roadmap, they have confirmed me that right now it is not in the roadmap, but they will study it and maybe add it for a future release.
Glad to help with anything I can, if you find any other issue you can open a new thread and we will help you solve it
Reply all
Reply to author
Forward
0 new messages