Exclude internal ip's


(Brad Birdwell) #1

I am still new and working to figure out how to use elasticsearch correctly to do what I want. I have been able to write some query's to get some information about all of the traffic on our network but now I would like to filter out anything that is internal and only show internet traffic.

Currently I am setup as follows
ASA firewall -> ELK (via Netflow)

What is the proper way to exclude 10.0.0.0/4, 172.16.0.0/12 and 192.168.0.0/16 from the rest of the traffic. Im sure its simple and I am just going about it all wrong.

Brad


(Shelby Sturgis) #2

Hi Brad,

You can exclude those patterns from your query using the searchbox and lucene query syntax. Here is a nice tutorial site for learning the lucene query syntax.

-ip: "10.0.0.0/4" AND -ip: "172.16.0.0/12" AND -ip: "192.168.0.0/16"

where ip is the field name.


(system) #3