Wildcard for source.ip field

francescouk · January 27, 2022, 5:01pm

Hi there,

I would like to know how to fix this search (if is possible of course):

(winlog.channel:"Security" AND (winlog.event_id:"4624" AND winlog.event_data.LogonType:"10") AND (NOT (source.ip:(10.* OR 192.168.* OR 172.31* OR 172.30.* OR 172.29.* OR 172.28.* OR 172.27.* OR 172.26.* OR 172.25.* OR 172.24.* OR 172.23.* OR 172.21.* OR 172.20.* OR 172.19.* OR 172.18.* OR 172.17.* OR 172.16.* OR fd* OR fc* OR 127.0.0.1* OR \:\:1*))))

The results I got back is always:

Can only use prefix queries on keyword, text and wildcard fields - not on [source.ip] which is of type [ip]"

Help pls.

Thanks for the attention.

mayya · January 27, 2022, 9:17pm

As the documentation says "the most common way to query ip addresses is to use the CIDR notation": [ip_address]/[prefix_length]

For example, to search for 172.30.*, you can use a query:

{
  "query": {
    "term": {
      "ip": "172.30.0.0/16"
    }
  }

francescouk · January 28, 2022, 11:11am

That´s great!!!

My question is, that´s the only way?? If you say so I´m ok....

Thanks

mayya · January 28, 2022, 12:08pm

You can also use range query on ip addresses, like:

{
  "query": {
    "range": {
      "ip": {
        "gte": "172.30.0.0",
        "lte": "172.30.0.1"
      }
    }
  }

francescouk · January 28, 2022, 7:04pm

Ok, understood! Now I´m trying to use a rule from Elastic using the same schema you just pointed above, but still receiving errors:

Rule:

event.category:(network or network_traffic) and network.transport:tcp and (destination.port:3389 or event.dataset:zeek.rdp) and
  not source.ip:(
    10.0.0.0/8 or
    127.0.0.0/8 or
    169.254.0.0/16 or
    172.16.0.0/12 or
    192.0.0.0/24 or
    192.0.0.0/29 or
    192.0.0.8/32 or
    192.0.0.9/32 or
    192.0.0.10/32 or
    192.0.0.170/32 or
    192.0.0.171/32 or
    192.0.2.0/24 or
    192.31.196.0/24 or
    192.52.193.0/24 or
    192.168.0.0/16 or
    192.88.99.0/24 or
    224.0.0.0/4 or
    100.64.0.0/10 or
    192.175.48.0/24 or
    198.18.0.0/15 or
    198.51.100.0/24 or
    203.0.113.0/24 or
    240.0.0.0/4 or
    "::1" or
    "FE80::/10" or
    "FF00::/8"
  ) and
  destination.ip:(
    10.0.0.0/8 or
    172.16.0.0/12 or
    192.168.0.0/16
  )

Results:

Can only use regexp queries on keyword and text fields - not on [source.ip] which is of type [ip]

What I´m doing wrong? Just copied and pasted from the elastic page this rule

Thanks

system · February 25, 2022, 7:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.