IP match failed

javierelastic · September 6, 2023, 9:03pm

Hi everyone!
Something strange happens to me.
I'm trying to see if a source ip matches a pattern I indicate. The ip is 100.44.1.128 and it tells me that it matches "^10.*"
How is it possible?

if [IPorigen] =~ "^10.*" or [IPorigen] =~ "^127.0.*" or [IPorigen] == "0.0.0.0" or [IPorigen] =~ "^192.168.*" { 
			mutate {
				add_tag => ["IP interna"]
			}
		}

leandrojmp · September 6, 2023, 9:34pm

Because it is a regex, and the 10.* will match anything that starts with 10, so it will match 10, 100, 101 etc.

Try to escape the ., using ^10\.*

If it helps, I use the following filters to tag internal and external IPs for the field source.ip, you can adapt to your use case.

filter {
    if [source][ip] and ":" not in [source][ip] {
        mutate {
            add_field => {
                "[@metadata][srcIP]" => "%{[source][ip]}"
            }
        }
        mutate {
            convert => { "[@metadata][srcIP]" => "string" }
        }
        mutate {
            split => { "[@metadata][srcIP]" => "." }
        }
    }
    if [@metadata][srcIP] {
        if [@metadata][srcIP][0] in ["0","10","127"] {
            mutate {
                add_tag => ["internal-ip"]
            }
        } else if [@metadata][srcIP][0] == "192" and [@metadata][srcIP][1] == "168" {
            mutate {
                add_tag => ["internal-ip"]
            }
        } else if [@metadata][srcIP][0] == "169" and [@metadata][srcIP][1] == "254" {
            mutate {
                add_tag => ["internal-ip"]
            }
        } else if [@metadata][srcIP][0] == "172" and [@metadata][srcIP][1] in ["16","17","18","19","20","21","22","23","24","25","26","27","28","29","30","31"] {
            mutate {
                add_tag => ["internal-ip"]
            }
        } else {
            mutate {
                add_tag=> ["external-ip"]
            }
        }
    }
}

Badger · September 6, 2023, 9:52pm

You might find the cidr filter useful.

javierelastic · September 7, 2023, 10:05am

Thanks for the explanation and your code suggestion. 10\ does not work correctly. It detects "10" in other parts of IP address and the result is even worse

javierelastic · September 7, 2023, 11:27am

thanks for the advice.
I have applied the cidr filter and it is easier to make it work for my case.

cidr{
			address => ["%{IPorigen}"]
			network => ["10.0.0.0/8", "127.0.0.0/8", "0.0.0.0/32", "192.168.0.0/16"]
			add_tag => ["IP interna"]
		}

system · October 5, 2023, 11:27am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.