andurin
commented
1 year ago Hi,
I'm not able to reproduce this behavior.
Following rule:
title: Test
status: test
logsource:
category: test_category
product: windowssss
detection:
selection:
ipfield: 192.168.1.1
condition: selectionWill be converted to:
ipfield:192.168.1.1Within my test index ipfield is mapped to type ip. Doing that query against my ES node I get exactly one result (from two docs which have ipfield set to an IP address).
I don't see the need to add /mask to fulfill the CIDR notation right now. But I would be happy if you change my mind with some example documents and a sample rule which fails.
Regards
cospirho
Rules that query ip address ranges on IP field types will fail if they don't use |cidr, since the IP field requires CIDR notation, a format like [1.2.3.4 TO 1.2.255.255], or a full ip address. The default winlogbeat config has many IP fields used in rules, and they do not have additional keyword/text mappings. Perhaps users could specify which fields are IP type, and then the rules could be converted to CIDR notation if necessary.
Thank you