Rule Creation and CIDR Notation

Classless inter-domain routing (CIDR) notation is a shorthand representation of a range of IP addresses and their associated routing prefix. CIDR notation format is an IP address, a forward slash character, and an integer. For example:

1.1.1.1/24

The Threat Stack Cloud Security PlatformⓇ (CSP) supports rule creation using CIDR notation. The following Rule fields support CIDR notation:

Event Field Field Type
src_ip Linux Host, Windows Host
connection.addr Audit, Threat Intel
connection.dst_addr Audit, Threat Intel
connection.src_addr Audit, Threat Intel
dst_ip Windows Host
dstIpv6 Windows Host
srcIpv6 Windows Host

Note

If you query CIDR notation on a field that does not support it, then your rules evaluate as false on that field.

Sample CIDR Notation Event Queries

IPv4

An alert triggers when an event contains a value in the source IP address field that falls within the specific CIDR range:

srcIp = "192.168.1.1/32"

Connection.addr

An alert triggers when an event contains a value in the connection IP address field that falls outside of a specific CIDR range:

srcIp != "192.168.1.1/32"
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request