cancel
Showing results for 
Search instead for 
Did you mean: 

Wildcard Subnet Mask Support in MWG???

Are there any plans to support wildcard subnet masks within IP lists in MWG? This would help me immensely as we have about 40 IP lists with over 1000 entries per list. We could cut this down to 40 different IP/wildcard entries instead if we had support for it.

ex. subnet:10.0.0.25  mask: 0.63.248.0

0 Kudos
8 Replies
McAfee Employee

Re: Wildcard Subnet Mask Support in MWG???

Hey Matt!

This is the first time I've seen that specific request. I would assume from the wildcard mask you gave this is not a normal netmask that is covered by CIDR or range notation.

So you want to be able to check if an IP falls within a certain wildcard subnet mask?

So 10.0.0.25/0.63.248.0 would include...

  • 10.0.0.25 (itself)
  • 10.0.1.25
  • 10.0.2.25
  • ...
  • 10.63.248.25

If the above is correct, we could use a criteria of *.IP matches some sort of regex, but I'm guessing you started exploring that and the regex got really complicated.

In the past I remember a customer using Math in the events to calculate the modulo for each of the octets in the IP. I feel like they needed to do that for similar reasons... (this was like 4 years ago -- so I'm struggling to remember it clearly). Based on the result they were able to compute a result which told us what wildcard subnet the IP came from.

Best Regards,

Jon

0 Kudos

Re: Wildcard Subnet Mask Support in MWG???

Hi Jon!

It's sort of like that but a little more complex. It allows for some pretty specific matching on the various octets. Here is an example of how that example breaks out:

www.Boson.com Wildcard mask checker

IP Address:    10.0.0.25

Wildcard mask: 0.63.248.0

First Octet Match(es)

10

Second Octet Match(es)

0- 63

Third Octet Match(es)

0

8

16

24

32

40

48

56

64

72

80

88

96

104

112

120

128

136

144

152

160

168

176

184

192

200

208

216

224

232

240

248

Fourth Octet Match(es)

25

0 Kudos
McAfee Employee

Re: Wildcard Subnet Mask Support in MWG???

Hi Matt,

For those that might read this later and I'm also curious, where does this need come from? Is this how the network team has things laid out (I'm guessing so)?

I found the case I had with another customer. In each retail location machines were assigned a special IP based on the machine type (point of sale, kiosk, employee, or other). We could look at that IP and determine if it was assigned based on a certain modulo for the octets. In this case, we created one rule which looked at the 3rd octet and depending on the modulo output it was one of the four machine types. In our case, we took the 3rd octet and used the modulo against 4. So 68 modulo 4 would give us 0. 69 modulo 4 would give us 1.

Here is what the rule looks like:

I feel like I could be very wrong about this helping, or it could be another way to approach the problem. I also attached the ruleset which includes this rule. In the above example, to change which octet is evaluated we need to change the list pointer (the client IP is broken into a string list, then we pick what item in the list to look at), so 3rd octet is in the 0,1,2nd entry.

To verbalize the event in the rule (start from the inner most component and work your way out):

1. Convert IP to a string

2. Convert IP string to a list of strings (using period as a separator)

3. Pick an element in the IP string list (192,168,1,1 -- each number is an element in the list, in this case we picked the 3rd element/octet which is 2)

4. Convert that string to a number

5. Modulo that number against another number, in this case 4

6. Profit! Or.. store the value for later use.

This does seem to help with your 3rd octet (you'd be evaluating 3rd octet modulo 8, looking for 0), but I'm not sure how to tackle the second octet.

Had to brush up on my math skillz for this one...

Best Regards,

Jon

edit: clarification, spelling

0 Kudos
McAfee Employee

Re: Wildcard Subnet Mask Support in MWG???

Here is what I came up with for that specific example you gave, this would cover it (I'm pretty sure).

Is that the only one you have or do you have 40 wildcard subnet masks?

Best Regards,

Jon

Edit, needed to change ORs to ANDs

0 Kudos

Re: Wildcard Subnet Mask Support in MWG???

Jon,

Would it be possible to do a Range on that last octet check? In other words in this example could we look for 25-30 as the last octet instead of just 25?

Thanks!

MattS...

0 Kudos
McAfee Employee

Re: Wildcard Subnet Mask Support in MWG???

Hey Matt,

The above rule has an example of that exact thing for checking a range except I did it for the second octet.

2nd octet >= 0 AND 2nd octet <= 63

I remembered that previous scenario, so once I found the rules it was pretty easy to piece my memory back together. What would your two entries be if we had the wildcard subnet mask functionality? Or more directly, what would the rule look like with your desired end result?

Client IP is in wildcard subnet list [0.63.248.0, x.x.x.x, y.y.y.y] ? What would x.x.x.x and y.y.y.y be? Would there be more?

It almost seems like this problem might be solved by first determining the location, then the machine type, and then interrogate further to see if it needs internet access. I havent gotten to think this last part through though. Once you have all those variables you put them together to decide if they should have access or not.

Best Regards,

Jon

0 Kudos

Re: Wildcard Subnet Mask Support in MWG???

Jon,

How would you do the modulo math on this one?

IP Address:10.0.2.65

Wildcard mask: 0.63.248.0

First Octet Match(es)

10

Second Octet Match(es)

0- 63

Third Octet Match(es)

2

10

18

26

34

42

50

58

66

74

82

90

98

106

114

122

130

138

146

154

162

170

178

186

194

202

210

218

226

234

242

250

Fourth Octet Match(es)

65

0 Kudos

Re: Wildcard Subnet Mask Support in MWG???

Jon,

You're exactly correct on where this need comes from. We have a little over 1200 retail stores and each store is given a /21 network. That /21 network is chopped up a certain way into multiple smaller subnets. Within each subnet specific machine types (POS, kiosks, customer service PCs, etc) have specific last octets. So we can tell what type of system it is by the IP address consistently across stores. The problem is that we may have a subnet with 10 PCs in it but only 2 (not contiguous IPs) need access to the Internet. So we end up having to make an IP list with over 2400 /32 entries to cover just these 2 machines in each store. We would be able to do it with 2 entries if we had the wildcard subnet flexibility.

I'm still trying to decode your solution but it will likely work too. I really appreciate you devoting that much time and effort to it!

Thanks!

MattS...

0 Kudos