Hello,
I'm querying elasticsearch using DSL in "dev tools".
I have the following code :
"query": {
"bool" : {
"must": [
{"range": {
"@timestamp": {
"gte": "now-10m/m",
"lt": "now/m"
}
}}
],
"must_not": [
{"term" : {"dstzone.keyword" : "WAN" }},
{"term" : {"dst_ip.keyword" : "SOME_IP" }},
{"term" : {"dst_ip.keyword" : "SOME_IP" }},
{"term" : {"dst_ip.keyword" : "SOME_IP" }}
{"wildcard" : {"dst_ip.keyword" : "*.255" }}
],
"should": [
{"wildcard" : {"dst_ip.keyword" : "10.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.16.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.17.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.18.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.19.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.20.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.21.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.22.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.23.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.24.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.25.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.26.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.27.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.28.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.29.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.30.*" }},
{"wildcard" : {"dst_ip.keyword" : "172.31.*" }},
{"wildcard" : {"dst_ip.keyword" : "192.168.*" }}
]
}
},
This code is supposed to return all documents where "dst_ip" is a private IP but the problem is when i execute this code i get many documents where "dst_ip" is public.
Do you have any idea how to fix this ?
Thanks in advance.