+4Hi All,
I am trying to use the “Is Value in Data Table” to look for an IP address within a list of IP CIDR ranges Datatable.
When I run the action, the action does not find a match - however I know the IP address is in the CIDR range within the data-table.
Below is the settings for the SOAR action:
Below is the Data table which contains the CIDR ranges for Mandiant ASM IPs:
Output from the action:
Is it perhaps to do with the type associated with the column which is “CIDR”?
Thanks
Best answer by mccrilb
It looks like its only doing a string search not an IP search within a CIDR range.
Can it not do that?
Oh, I see what you are trying to do. I think you would want to build out a python function in the IDE to get the CIDR range for the IP. You would have string type mismatch with trying to do it with a table.
something like:
import ipaddress
def is_ip_in_cidr(ip_address_str, cidr_range_str):
"""
Checks if a given IP address falls within a specified CIDR range.
Args:
ip_address_str (str): The IP address (e.g., '192.168.1.45').
cidr_range_str (str): The CIDR range (e.g., '192.168.1.0/24').
Returns:
bool: True if the IP is in the range, False otherwise.
"""
try:
# Create an IP address object
ip_addr = ipaddress.ip_address(ip_address_str)
# Create a network object from the CIDR range
network = ipaddress.ip_network(cidr_range_str)
# Use the 'in' operator to check for containment
return ip_addr in network
except ValueError as e:
print(f"Error: {e}")
return False
# --- Example Usage ---
ip_to_check = '192.168.1.45'
cidr_subnet = '192.168.1.0/24'
result = is_ip_in_cidr(ip_to_check, cidr_subnet)
print(f"Is {ip_to_check} in {cidr_subnet}? {result}") # Output: True
ip_to_check_2 = '10.0.1.127'
cidr_subnet_2 = '10.0.0.0/24'
result_2 = is_ip_in_cidr(ip_to_check_2, cidr_subnet_2)
print(f"Is {ip_to_check_2} in {cidr_subnet_2}? {result_2}") # Output: FalseThanks for your reply on this.
I tried to recreate what you did above and got it to successfully find [removed by moderator] .
However, I think I may have been confused as to what this action/data-tables can do - as I wanted to provide the value [removed by moderator] which would be in that IP range and find that instead.
It looks like its only doing a string search not an IP search within a CIDR range.
Can it not do that?
+12
It looks like its only doing a string search not an IP search within a CIDR range.
Can it not do that?
Oh, I see what you are trying to do. I think you would want to build out a python function in the IDE to get the CIDR range for the IP. You would have string type mismatch with trying to do it with a table.
something like:
import ipaddress
def is_ip_in_cidr(ip_address_str, cidr_range_str):
"""
Checks if a given IP address falls within a specified CIDR range.
Args:
ip_address_str (str): The IP address (e.g., '192.168.1.45').
cidr_range_str (str): The CIDR range (e.g., '192.168.1.0/24').
Returns:
bool: True if the IP is in the range, False otherwise.
"""
try:
# Create an IP address object
ip_addr = ipaddress.ip_address(ip_address_str)
# Create a network object from the CIDR range
network = ipaddress.ip_network(cidr_range_str)
# Use the 'in' operator to check for containment
return ip_addr in network
except ValueError as e:
print(f"Error: {e}")
return False
# --- Example Usage ---
ip_to_check = '192.168.1.45'
cidr_subnet = '192.168.1.0/24'
result = is_ip_in_cidr(ip_to_check, cidr_subnet)
print(f"Is {ip_to_check} in {cidr_subnet}? {result}") # Output: True
ip_to_check_2 = '10.0.1.127'
cidr_subnet_2 = '10.0.0.0/24'
result_2 = is_ip_in_cidr(ip_to_check_2, cidr_subnet_2)
print(f"Is {ip_to_check_2} in {cidr_subnet_2}? {result_2}") # Output: FalseEnter your E-mail address. We'll send you an e-mail with instructions to reset your password.