2013-12-06 09:10 AM
I am looking to to create dashboards that show our outgoing/incoming network connections. What is the best way to filter out large cidr blocks? Is it better to create an app rule to have it run during collection? Currently I am trying out doing a ip.dst != '10.0.0.0/8'
2013-12-06 12:05 PM
Do you already have your internal ranges mapped out? As analyst best practice I typically using a feed to map out IP ranges in a CSV, to provide some additional context (unless you have the Archer integration already doing this).
10.1.0.0/16 = site1
10.1.1.1 = to_proxy (site 1)
x.x.x.x = from proxy (site 1)
10.2.0.0/16 = site2
10.2.1.1 = to_proxy (site 2)
x.x.x.x = from proxy (site 2)
10.3.0.0/16 = VPN range
10.4.0.0/16 = Guest wireless
You could use a application rule to create custom meta although a feed is much more efficient. Once you have this additonal meta you can easily build rules around the new meta.
Craig
2013-12-06 12:05 PM
Do you already have your internal ranges mapped out? As analyst best practice I typically using a feed to map out IP ranges in a CSV, to provide some additional context (unless you have the Archer integration already doing this).
10.1.0.0/16 = site1
10.1.1.1 = to_proxy (site 1)
x.x.x.x = from proxy (site 1)
10.2.0.0/16 = site2
10.2.1.1 = to_proxy (site 2)
x.x.x.x = from proxy (site 2)
10.3.0.0/16 = VPN range
10.4.0.0/16 = Guest wireless
You could use a application rule to create custom meta although a feed is much more efficient. Once you have this additonal meta you can easily build rules around the new meta.
Craig
2013-12-06 12:50 PM
What meta does it filter on?
What I want the chart to do is all outbound tagged traffic without showing our clients/networks IPs. So if the log or packet is say 10.1.1.30 to 63.2.45.3. When I tell it to filter out all my networks (10.0.0.0/8), will it keep that log and show me that 63.2.45.3 is outbound traffic?