CDB List for IP ranges
18 views
Skip to first unread message
Facu Basgall
Mar 2, 2026, 12:31:37 PM (2 days ago) Mar 2
to Wazuh | Mailing List
How can I use CDB List for IP ranges such as /17, /21, /12, for example?
Any type of range other than /32, /24, /16, /8 where octets separate the ranges.
Olamilekan Abdullateef Ajani
Mar 2, 2026, 1:36:12 PM (2 days ago) Mar 2
to Wazuh | Mailing List
Hello Facub,
Based on the documentation, CDBList support for IP addresses is prefix-based matching using dot notation. That’s why examples like 192.168. (/16) or 172.16.19. (/24) work because they align perfectly with octet boundaries and can be represented as simple string prefixes.
Unlike ranges /17, /21, or /12, which do not align neatly on full octets. For example, a /17 splits a /16 in half at the bit level, not at a dot boundary. Since CDB lists rely on string matching rather than bitwise subnet evaluation, there is no way to represent those ranges using dot notation alone. It would either match too much or not enough, which means spilling.
Right now, CDB lists specifically are designed for exact or prefix string lookups, not subnet math.
There is a feature request regarding this here, which means this will be reviewed in the near future for enhancement.
Regards,
Unlike ranges /17, /21, or /12, which do not align neatly on full octets. For example, a /17 splits a /16 in half at the bit level, not at a dot boundary. Since CDB lists rely on string matching rather than bitwise subnet evaluation, there is no way to represent those ranges using dot notation alone. It would either match too much or not enough, which means spilling.
Right now, CDB lists specifically are designed for exact or prefix string lookups, not subnet math.
There is a feature request regarding this here, which means this will be reviewed in the near future for enhancement.
Regards,
Reply all
Reply to author
Forward
0 new messages