IP Range in Security Analytics
You are best to tag your network ranges with an app rule on your logdecoder or decoder and then use this meta in your reports.
You will see an tremendous speed increase from doing this.
The best way is to have have a feed file to that will tag your networks.
I include a post made by Davide Veneziano
Tagging networks and inbound/outbound connections
Inspired by Jim Hollar's attempt to revamp our application rule structure, I've put together some simple applications rules trying to build a standard naming convention and approach for the way we can "tag" inbound/outbound connections as well as for naming our customers' networks.
Since every time I found myself re-inventing the wheel and creating similar rules from scratch for every single packet PoC, I hope this attempt could be useful also for somebody else.
First of all we need to create the following custom meta keys:
- Source/Destination Network Class (net.src, net.dst): this is to identify if a session is coming/going to an IP internal or external to our organization (e.g. intranet, extranet)
- Source/Destination Network Name (net.name.src, net.name.dst): this is for (optionally) "tag" the source/destination network with a specific name (e.g. finance, workstation, etc.)
- Source/Destination Network Environment (net.env.src, net.env.dst): this is for (optionally) "tag" the source/destination network environment with a specific name (e.g. production, test, development, etc.)
- Direction (direction): this is for tagging the connection as inbound or outbound
Then the application rules provided will populate the net.src and net.dst meta accordingly with:
- intranet (if coming/going to a RFC 1918 IP)
- extranet (if coming/going to a NOT RFC 1918 IP)
and the direction meta with:
- intranet (intranet to intranet communication)
- external (extranet to extranet communication)
- inbound (extranet to intranet communication)
- outbound (intranet to extranet communication)
The meta net.name.src, net.name.dst, net.env.src and net.env.dst are not instead populated by the application rules but can be optionally populated by a custom feed.
The application rules, the custom decoder and concentrator index files, sample feeds as well as screenshots are provided in attachment.
There's a parser similar to cidr.lua that should be coming to Live soon for packet decoders to provide both subnet naming and directionality.