Exclude internal ip's

Bradly · February 17, 2016, 7:43pm

I am still new and working to figure out how to use elasticsearch correctly to do what I want. I have been able to write some query's to get some information about all of the traffic on our network but now I would like to filter out anything that is internal and only show internet traffic.

Currently I am setup as follows
ASA firewall -> ELK (via Netflow)

What is the proper way to exclude 10.0.0.0/4, 172.16.0.0/12 and 192.168.0.0/16 from the rest of the traffic. Im sure its simple and I am just going about it all wrong.

Brad

stormpython · February 17, 2016, 8:15pm

Hi Brad,

You can exclude those patterns from your query using the searchbox and lucene query syntax. Here is a nice tutorial site for learning the lucene query syntax.

-ip: "10.0.0.0/4" AND -ip: "172.16.0.0/12" AND -ip: "192.168.0.0/16"

where ip is the field name.

Topic		Replies	Views
How do you exclude subnets from search results in Kibana? Elastic Search	4	12	November 20, 2024
Kibana Visualization Regex Exclusion issue Kibana lens	5	476	August 16, 2023
Kibana search query to remove ip range Kibana	3	23858	July 6, 2017
Detecting inital of breach SIEM	2	141	July 9, 2024
Anyway to exclude IP ranges in discover? Logstash	4	804	January 3, 2019

Exclude internal ip's

Related topics