2 Replies Latest reply on May 2, 2014 9:05 AM by curtisi

    IP range exclusion

    msengele

      Hello,

       

      I would like to create a rule in the LEM that will detect IPS traffic that is going to an IP range and exclude a range from being detected as well. What is the best way to call out a range of IP address in the rules i.e. 192.168.*.* or 192.168.*. How does the format need to be or what is the best practice for this.

       

      Thanks

        • Re: IP range exclusion
          blsanner

          For your filters/rules/nDepth searches, you would just say something along the lines of:

           

          DestinationIP = 192.168*

           

          which would, of course, match anything from 192.168.0.1 - 192.168.255.254.  It is simply matching it as a text string and the '*' replaces anywhere from 0 to many characters.

          • Re: IP range exclusion
            curtisi

            I've used mid-string wildcards successfully in filters, so 192.168.*.* would work.  blsanner is also correct, that 192.168.* would work, though it won't just match 192.168.0.1 to 192.168.255.255, but also 192.168.chickensandwich.  It's unlikely that the LEM will ever see chickensandwich in an IP, but that could be an issue if you were filtering Event Info or Extraneous Info on an event.

             

            You could also create  User Defined Group with ranges in it:

             

            192.168.0.10*

            192.168.41.25*

             

            You can import UDGs from a CSV file, if it is formatted correctly (you can paste this into a text file and then import it as a UDG to see how it worked):

             

            UDG, A Sample Group Title, This Group is a Sample Created by the UDG Import Process

            IPS Range 1, 192.168.0.10*, IPS Devices for the 0 subnet

            Dallas IPS, 192.168.2.25, Dallas IPS

            Austin IPS, 192.168.3.44, Austin IPS