IP match failed

Hi everyone!
Something strange happens to me.
I'm trying to see if a source ip matches a pattern I indicate. The ip is 100.44.1.128 and it tells me that it matches "^10.*"
How is it possible?

if [IPorigen] =~ "^10.*" or [IPorigen] =~ "^127.0.*" or [IPorigen] == "0.0.0.0" or [IPorigen] =~ "^192.168.*" { 
			mutate {
				add_tag => ["IP interna"]
			}
		}

Because it is a regex, and the 10.* will match anything that starts with 10, so it will match 10, 100, 101 etc.

Try to escape the ., using ^10\.*

If it helps, I use the following filters to tag internal and external IPs for the field source.ip, you can adapt to your use case.

filter {
    if [source][ip] and ":" not in [source][ip] {
        mutate {
            add_field => {
                "[@metadata][srcIP]" => "%{[source][ip]}"
            }
        }
        mutate {
            convert => { "[@metadata][srcIP]" => "string" }
        }
        mutate {
            split => { "[@metadata][srcIP]" => "." }
        }
    }
    if [@metadata][srcIP] {
        if [@metadata][srcIP][0] in ["0","10","127"] {
            mutate {
                add_tag => ["internal-ip"]
            }
        } else if [@metadata][srcIP][0] == "192" and [@metadata][srcIP][1] == "168" {
            mutate {
                add_tag => ["internal-ip"]
            }
        } else if [@metadata][srcIP][0] == "169" and [@metadata][srcIP][1] == "254" {
            mutate {
                add_tag => ["internal-ip"]
            }
        } else if [@metadata][srcIP][0] == "172" and [@metadata][srcIP][1] in ["16","17","18","19","20","21","22","23","24","25","26","27","28","29","30","31"] {
            mutate {
                add_tag => ["internal-ip"]
            }
        } else {
            mutate {
                add_tag=> ["external-ip"]
            }
        }
    }
}
1 Like

You might find the cidr filter useful.

1 Like

Thanks for the explanation and your code suggestion. 10\ does not work correctly. It detects "10" in other parts of IP address and the result is even worse

thanks for the advice.
I have applied the cidr filter and it is easier to make it work for my case.

cidr{
			address => ["%{IPorigen}"]
			network => ["10.0.0.0/8", "127.0.0.0/8", "0.0.0.0/32", "192.168.0.0/16"]
			add_tag => ["IP interna"]
		}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.