IP range exclusion

Hello,

I would like to create a rule in the LEM that will detect IPS traffic that is going to an IP range and exclude a range from being detected as well. What is the best way to call out a range of IP address in the rules i.e. 192.168.*.* or 192.168.*. How does the format need to be or what is the best practice for this.

Thanks

  • For your filters/rules/nDepth searches, you would just say something along the lines of:

    DestinationIP = 192.168*

    which would, of course, match anything from 192.168.0.1 - 192.168.255.254.  It is simply matching it as a text string and the '*' replaces anywhere from 0 to many characters.

  • I've used mid-string wildcards successfully in filters, so 192.168.*.* would work.  blsanner is also correct, that 192.168.* would work, though it won't just match 192.168.0.1 to 192.168.255.255, but also 192.168.chickensandwich.  It's unlikely that the LEM will ever see chickensandwich in an IP, but that could be an issue if you were filtering Event Info or Extraneous Info on an event.

    You could also create  User Defined Group with ranges in it:

    192.168.0.10*

    192.168.41.25*

    You can import UDGs from a CSV file, if it is formatted correctly (you can paste this into a text file and then import it as a UDG to see how it worked):

    UDG, A Sample Group Title, This Group is a Sample Created by the UDG Import Process

    IPS Range 1, 192.168.0.10*, IPS Devices for the 0 subnet

    Dallas IPS, 192.168.2.25, Dallas IPS

    Austin IPS, 192.168.3.44, Austin IPS