Support for generating single IP/CIDRs instead of ranges

[jtschichold]

Feed API should support a new format where IP ranges should translated into:

• single IPs when start and end of the IP range match
• CIDRs for multiple ranges

This for compatibility with some TI consumers.

[rhysxevans]

Hi

I am wondering if the option to output individual IP's (ie for CIDR 192.168.0.0/24 becomes 192.168.0.1, 192.168.0.2, 192.168.0.3, etc) has been added ?

I have looked at https://live.paloaltonetworks.com/t5/MineMeld-Articles/Parameters-for-the-output-feeds/ta-p/146170 but I can't see the option there to do so.

I then looked at the feedredis.py file, and honestly can't make out if there is a switch that isn't documented, other than there is a "new" Carbonblack output, not listed on the link provided above, that seems to expand the ranges/cidr's to individual IP's.

Its just logstash doesn't match single IP's against CIDR's when using the translate plugin. (In know there are other ways around it, but it does mean more code in logstash, multiple feed files etc)

Currently my output looks like (single file being fed to logstash, already formatted) - tor.exit_addresses is being hit fine

"176.119.4.0/24" : "dshield.block,spamhaus.EDROP"
"185.143.221.0/24" : "spamhaus.EDROP,dshield.block"
"185.176.26.0/24" : "dshield.block,spamhaus.EDROP"
"185.176.27.0/24" : "dshield.block,spamhaus.EDROP"
"103.109.100.148" : "tor.exit_addresses"

Any help is appreciated.

Thanks