IP Wildcard in custom report?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IP Wildcard in custom report?

L4 Transporter

I have a custom report, I need to exclude 40 Instances of

 

192.168.x.100 to dest port (1234 or 1235)

 

is there a short way to do this or am I faced with 40 repeating lines like this....

 

( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

9 REPLIES 9

L4 Transporter

Wow this is proving to be frustrating...

 

Although I can run myu LARGE query , I can't save it as there is a 2048 Character limit..

 

I tried by host name "Branch  Office  * "  

 

But the * wildcard does nothing....

 

 

 

You can't use wildcard in query, therefor you can't utilize it within the custom report. 

Any idea how I can excluded the 40 entries from the report then?

 

Cheers

 

Rob

 

 

Cyber Elite
Cyber Elite

@RobinClayton,

It looks like your trying to obfuscate your actual query, which I can understand, but you've done it to the degree that you'll need to let on a little bit more on what you are actually trying to do. 

What actually changes in your query? The src IP, the negated ports, from what you have displayed your query doesn't make much sense. 

Was an error in my obfuscation,  the third octet changes

 

( addr.src notin 192.168.10.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

( addr.src notin 192.168.11.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

( addr.src notin 192.168.12.100 and ((port.dst neq 1234) or (port.dst neq 1235)))

and

 

 

anyone think of a solution??

 

Thanks


Robin

Use a host range? something like a.a.a.a /CIDR

( addr.src notin 192.168.0.0/16 and ((port.dst neq 1234) or (port.dst neq 1235))

 

then you have all 192.168.0.0 to 192.168.255.255 or set this to "192.168.10.100 - 192.168.20.100"

 

Look here.. https://live.paloaltonetworks.com/t5/Featured-Articles/Basics-of-Traffic-Monitor-Filtering/ta-p/6524...

 

or do I get it wrong?

I don't think the solution that @clonesheep mentioned is going to work here because you vary the third octet. You could do the entire range and just negate the specific destination ports that you don't want in the report; but I'm guessing that if that was an option you would have already done so. 

If you don't care about the logs for this traffic at all, for example if it's AD traffic you are trying to ignore, you could push out a security policy that didn't actually have any logging enabled. That way you wouldn't have to worry about the logs at all, you could run the reports as needed, and if you have an issue you could simply update the policy to enable logging again. Maybe that would be a solution? 

Think I have it now, I am not sure if the logic was just wrong somewhere or if the parsing is not quite what I was expecting.

 

Anyway i changed where the "not s " were

 

and made the whole match  "and not" instead of "not"

 

That's sorted it, not very elegant but works, not sure how many characters it takes up and what the maximum would be. Certainly it's not going to be great if we need more exclusions for other items.

 

 

(action neq allow)
and
(zone.src eq TRUST)
and
(zone.dst eq UNTRUST)
and not
((( addr.src in 10.100.20.123 )
or( addr.src in 10.100.21.123 )
or( addr.src in 10.100.22.123 )
or( addr.src in 10.100.23.123 )
or( addr.src in 10.100.24.123 )
or( addr.src in 10.100.25.123 )
or( addr.src in 10.100.26.123 )
or( addr.src in 10.100.27.123 )
or( addr.src in 10.100.28.123 )
or( addr.src in 10.100.29.123 )
or( addr.src in 10.100.30.123 )
or( addr.src in 10.100.31.123 )
or( addr.src in 10.100.32.123 )
or( addr.src in 10.100.33.123 )
or( addr.src in 10.100.34.123 )
or( addr.src in 10.100.35.123 )
or( addr.src in 10.100.36.123 )
or( addr.src in 10.100.37.123 )
or( addr.src in 10.100.38.123 )
or( addr.src in 10.100.39.123 )
or( addr.src in 10.100.40.123 )
or( addr.src in 10.100.41.123 )
or( addr.src in 10.100.42.123 )
or( addr.src in 10.100.43.123 )
or( addr.src in 10.100.44.123 )
or( addr.src in 10.100.45.123 )
or( addr.src in 10.100.46.123 )
or( addr.src in 10.100.47.123 )
or( addr.src in 10.100.48.123 )
or( addr.src in 10.100.49.123 )
or( addr.src in 10.100.50.123 )
or( addr.src in 10.100.51.123 )
or( addr.src in 10.100.52.123 )
or( addr.src in 10.100.53.123 )
or( addr.src in 10.100.54.123 )
or( addr.src in 10.100.55.123 )
or( addr.src in 10.100.56.123 )
) and ((port.dst eq 8800)
or (port.dst eq 12366)))

  • 2862 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!