Add new modifier: CIDR

[malvidin]

A modifier for IPv4/IPv6 addresses for CIDR matching would be useful, especially for classless addresses.

Based on sysmon_dllhost_net_connections.yml, the filter is much simpler to read:

    filter:
        DestinationIp|cidr:
            - '10.0.0.0/8'
            - '172.16.0.0/12'
            - '192.168.0.0/16'
            - '127.0.0.0/8'
            - 'fe80::/16'

If the backend does not support CIDR natively, it can decompose the address into multiple wildcards with the ipaddress library.

For an IPv4 example:

net = ipaddress.IPv4Network("172.16.0.0/12")
wc_mask = (1 + net.prefixlen // 8) * 8
wc_trail_chars = -2 * ((32-wc_mask) // 8)

if net.prefixlen % 8 == 0:
    if wc_trail_chars < 0:
        print(net.network_address.exploded[:wc_trail_chars] + ".*")
    else:
        print(net.network_address.exploded)
else:
    for subnet in net.subnets(new_prefix=wc_mask):
        if wc_trail_chars < 0:
            print(subnet.network_address.exploded[:wc_trail_chars] + ".*")
        else:
            print(subnet.network_address.exploded)

For IPv6, the resulting string would need to validated against the IPv6 output from the Windows Event Log.

[krsbr]

This would be extremely useful

[frack113]

Hello,
I put #1563 to add a ipv4 modifiers

[frack113]

Hi, it is in PySigma