We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A modifier for IPv4/IPv6 addresses for CIDR matching would be useful, especially for classless addresses.
Based on sysmon_dllhost_net_connections.yml, the filter is much simpler to read:
filter: DestinationIp|cidr: - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' - '127.0.0.0/8' - 'fe80::/16'
If the backend does not support CIDR natively, it can decompose the address into multiple wildcards with the ipaddress library.
For an IPv4 example:
net = ipaddress.IPv4Network("172.16.0.0/12") wc_mask = (1 + net.prefixlen // 8) * 8 wc_trail_chars = -2 * ((32-wc_mask) // 8) if net.prefixlen % 8 == 0: if wc_trail_chars < 0: print(net.network_address.exploded[:wc_trail_chars] + ".*") else: print(net.network_address.exploded) else: for subnet in net.subnets(new_prefix=wc_mask): if wc_trail_chars < 0: print(subnet.network_address.exploded[:wc_trail_chars] + ".*") else: print(subnet.network_address.exploded)
For IPv6, the resulting string would need to validated against the IPv6 output from the Windows Event Log.
The text was updated successfully, but these errors were encountered:
This would be extremely useful
Sorry, something went wrong.
Hello, I put #1563 to add a ipv4 modifiers
Hi, it is in PySigma
cidr
No branches or pull requests
A modifier for IPv4/IPv6 addresses for CIDR matching would be useful, especially for classless addresses.
Based on sysmon_dllhost_net_connections.yml, the filter is much simpler to read:
If the backend does not support CIDR natively, it can decompose the address into multiple wildcards with the ipaddress library.
For an IPv4 example:
For IPv6, the resulting string would need to validated against the IPv6 output from the Windows Event Log.
The text was updated successfully, but these errors were encountered: