This repository has been archived by the owner on Mar 21, 2023. It is now read-only.
cidr_match in lookup tables #246
Comments
|
he @brucegivens if you use the processing pipelines for the GEO IP Lookup - with your custom database, you would be able to access that information you add yourself. Please see how to-do this in this posting: https://blog.reconinfosec.com/geolocation-in-graylog/ With that and your custom DB you would be able to access the information. |
|
Hmm, interesting idea - I'll give it a whirl, will take some time before I'll be able to look into it, though. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
It would be useful to have the ability to perform a cidr_match on the keys of a lookup table.
The goal would be to look up a specific IP in a list of subnets and have the column(s) for the subnet to which that IP belongs returned.
For example, looking up 192.168.7.3 against the following CSV would return 'office':
"subnet","subnet_name"
"192.168.0.0/16","office"
"10.10.10.0/24","datacenter1"
"10.10.20.0/24","datacenter2"
Currently, a 1:1 match is required for the key such that the subnet would have to be known before the lookup could be performed.
For reference, the Graylog Community thread: https://community.graylog.org/t/mapping-ips-to-subnets/4083
It may also be a solution to use a custom MaxMind DB for this as described here: https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/
But it appears as if Graylog can only use the predefined City and Country MMDB formats for a data adapter.
The text was updated successfully, but these errors were encountered: