topic Re: Log filter for RANGE of IP's or Ports in General Topics

Log filter for RANGE of IP's or Ports

Gun-Slinger — Mon, 10 Apr 2017 17:47:35 GMT

Does anyone know the syntax used to create filters for port or IP ranges?

For example, I want to filter on IP's 10.0.0.1-10.0.0.5 9same for port ranges).

Thanks in advance

Re: Log filter for RANGE of IP's or Ports

bradk14 — Mon, 10 Apr 2017 18:01:00 GMT

for port ranges, you can combine the geq (greater than or equal to) and leq (less than or equal to) with an AND operator, e.g:

 (port.dst geq 53) and (port.dst leq 442)

will show DNS and HTTP but not HTTPS or SSH requests

for IP, I believe your only option is to use CIDR notation, but you can get as specific as you need to with the subnet mask.

for example,

( addr.src in 10.0.0.0/29 )

will show IPs in the range of 10.0.0.0 - 10.0.0.7 (though .0 is the network and .7 is the broadcast in this case, so those 2 shouldn't show up in results)

Re: Log filter for RANGE of IP's or Ports

jsalmans — Mon, 10 Apr 2017 18:05:01 GMT

*edit* Woops, @bradk14 beat me to it!

If you're referring to one of the tabs/pages that has access to the filter builder then I'd do something like this:

( addr.src in 192.168.1.0/24 ) and ((port.dst geq 60) and (port.dst leq 450))

This is just an example that does both functions but you could easily break that up. This basically searches for everything between 192.168.1.0-192.168.1.255 that goes to a destination port between and including 60 through 450.

With the ports you just use geq and leq ("greater than or equal to" and "less than or equal to" respectively).

With the IP I don't think you can use those same operators... it looks just just be a "in" or "not in" and it won't accept a range (192.168.1.0-192.168.1.255) so you do it as a subnet instead (192.168.1.0/24).