Classless inter-domain routing (CIDR) notation is a shorthand representation of a range of IP addresses and their associated routing prefix. CIDR notation format is an IP address, a forward slash character, and an integer. For example:
The Threat Stack Cloud Security PlatformⓇ (CSP) supports rule creation using CIDR notation. The following Rule fields support CIDR notation:
|Event Field||Field Type|
|src_ip||Linux Host, Windows Host|
|connection.addr||Audit, Threat Intel|
|connection.dst_addr||Audit, Threat Intel|
|connection.src_addr||Audit, Threat Intel|
If you query CIDR notation on a field that does not support it, then your rules evaluate as false on that field.
Sample CIDR Notation Event Queries
An alert triggers when an event contains a value in the source IP address field that falls within the specific CIDR range:
srcIp = "192.168.1.1/32"
An alert triggers when an event contains a value in the connection IP address field that falls outside of a specific CIDR range:
srcIp != "192.168.1.1/32"