Hi Jack,
An IP Address is made of 4 parts.
A.B.C.D
You need to anlayse this IP address in multi field search.
- The first analyser can be a stop analyser where you can separate IP address on basis of . (dot).
- The second analyser can be a standard analyser which a char filter which removes . out of IP address and makes the entire IP address as single string.
So when you run your analysis you can Multi search your new IP address with both analysed form of text we have. Any score of beyond 80 percent can be considered as malicious IP for you. The percentage can be tweaked as per use case.
Let me know if this works for you.