srcip=(?!(10[.]|172[.](?:1[6-9]|2[0-9]|3[0-1])[.]|192[.]168[.]))
Negative lookahead (?!) is not supported by re2 in google secops.
I need an alternative for this. To filter out if the srcip is public.
How can I achieve this in one single line regex?
Can anyone help me?
@AymanC ?
Page 1 / 1
Hi @anurag.q.singh ,
did I get you right that you want to select the public IPs?
I would go for an negativ/excluding regex like this:
not(re.regex(principal.ip, `^(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|172\\.(1[6-9]|2[0-9]|3[0-1])\\.\\d{1,3}\\.\\d{1,3})$`))
yes you got me right. but I don't want to use any function like re.regex or anything. just a plain regex expression
Hi @anurag.q.singh,
For standardisation and effenciency, I would reccomend setting up a reference list containing the CIDRs relating to public IPS, then within your rule logic doing the following:
rule ayman_cidr_reference_list_example {
meta:
author = "Ayman c"
events:
$e.metadata.event_type = "USER_CREATION"
not $e.src.ip in cidr %Public_Ips_CIDR
condition:
$e
}
Kind Regards,
Ayman C
Another option, in addition to the not re.regex() and cidr reference list options already presented, would be to implement this with the net.ip_in_range_cidr() function
net.ip_in_range_cidr($event.principal.ip, "10.0.0.0/8") or net.ip_in_range_cidr($event.principal.ip, "172.16.0.0/12") or net.ip_in_range_cidr($event.principal.ip, "192.168.0.0/16")Function Doc: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#netip_in_range_cidr
Blog with examples: https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Fall-is-the-perfect-time-for-CIDR/ba-p/733381
Is there any alternative for the negation statement (?!)
srcip=(?!(10[.]|172[.](?:1[6-9]|2[0-9]|3[0-1])[.]|192[.]168[.]))
I want a single regex expression to suffice my purpose. No function nothing.
Since I need this for log filtering.
Thanks for your help in advance.
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.