cidr_match in lookup tables

[brucegivens]

It would be useful to have the ability to perform a cidr_match on the keys of a lookup table.

The goal would be to look up a specific IP in a list of subnets and have the column(s) for the subnet to which that IP belongs returned.

For example, looking up 192.168.7.3 against the following CSV would return 'office':

"subnet","subnet_name"
"192.168.0.0/16","office"
"10.10.10.0/24","datacenter1"
"10.10.20.0/24","datacenter2"

Currently, a 1:1 match is required for the key such that the subnet would have to be known before the lookup could be performed.

For reference, the Graylog Community thread: https://community.graylog.org/t/mapping-ips-to-subnets/4083

It may also be a solution to use a custom MaxMind DB for this as described here: https://blog.maxmind.com/2015/09/29/building-your-own-mmdb-database-for-fun-and-profit/

But it appears as if Graylog can only use the predefined City and Country MMDB formats for a data adapter.

[jalogisch]

he @brucegivens

if you use the processing pipelines for the GEO IP Lookup - with your custom database, you would be able to access that information you add yourself.

Please see how to-do this in this posting: https://blog.reconinfosec.com/geolocation-in-graylog/

With that and your custom DB you would be able to access the information.

[brucegivens]

Hmm, interesting idea - I'll give it a whirl, will take some time before I'll be able to look into it, though.
Thanks for the input!