Description:
We propose adding a CIDR (Classless Inter-Domain Routing) function to OpenSearch's Piped Processing Language (PPL) to provide built-in IP address range matching capabilities. This feature would be similar to the ip_range CIDR function already in OpenSearch, enhancing PPL's ability to work with IP addresses and network ranges.
Proposed Functionality:
The CIDR function should take two arguments: an IP address and a CIDR block.
It should return a boolean value indicating whether the IP address is within the specified CIDR range.
The function should support both IPv4 and IPv6 addresses and ranges.
It should handle various CIDR notation formats (e.g., "192.168.0.0/24" or "2001:db8::/32").
Example Usage:
... | where CIDR(src_ip, "192.168.0.0/24")
This would filter results to include only those where src_ip is within the 192.168.0.0/24 network.
... | where CIDR(dst_ip, "10.0.0.0/8") OR CIDR(dst_ip, "172.16.0.0/12") OR CIDR(dst_ip, "192.168.0.0/16")
This would filter results to include destinations in any of the private IP ranges.
... | where CIDR(ipv6_field, "2001:db8::/32")
This would filter results for IPv6 addresses within the specified range.
Implementation Considerations:
Ensure efficient implementation for large-scale data processing
Provide clear error handling for invalid IP addresses or CIDR notations
Consider integrating with existing IP-related functions in PPL (if any)
Optimize for common use cases in network security and analysis
Provide comprehensive documentation with examples for both IPv4 and IPv6 usage
Description: We propose adding a CIDR (Classless Inter-Domain Routing) function to OpenSearch's Piped Processing Language (PPL) to provide built-in IP address range matching capabilities. This feature would be similar to the ip_range CIDR function already in OpenSearch, enhancing PPL's ability to work with IP addresses and network ranges.
Proposed Functionality:
Example Usage:
This would filter results to include only those where src_ip is within the 192.168.0.0/24 network.
This would filter results to include destinations in any of the private IP ranges.
This would filter results for IPv6 addresses within the specified range.
Implementation Considerations: