Are there any plans to support wildcard subnet masks within IP lists in MWG? This would help me immensely as we have about 40 IP lists with over 1000 entries per list. We could cut this down to 40 different IP/wildcard entries instead if we had support for it.
ex. subnet:10.0.0.25 mask: 0.63.248.0
Hey Matt!
This is the first time I've seen that specific request. I would assume from the wildcard mask you gave this is not a normal netmask that is covered by CIDR or range notation.
So you want to be able to check if an IP falls within a certain wildcard subnet mask?
So 10.0.0.25/0.63.248.0 would include...
If the above is correct, we could use a criteria of *.IP matches some sort of regex, but I'm guessing you started exploring that and the regex got really complicated.
In the past I remember a customer using Math in the events to calculate the modulo for each of the octets in the IP. I feel like they needed to do that for similar reasons... (this was like 4 years ago -- so I'm struggling to remember it clearly). Based on the result they were able to compute a result which told us what wildcard subnet the IP came from.
Best Regards,
Jon
Hi Jon!
It's sort of like that but a little more complex. It allows for some pretty specific matching on the various octets. Here is an example of how that example breaks out:
www.Boson.com Wildcard mask checker
IP Address: 10.0.0.25
Wildcard mask: 0.63.248.0
First Octet Match(es)
10
Second Octet Match(es)
0- 63
Third Octet Match(es)
0
8
16
24
32
40
48
56
64
72
80
88
96
104
112
120
128
136
144
152
160
168
176
184
192
200
208
216
224
232
240
248
Fourth Octet Match(es)
25
Hi Matt,
For those that might read this later and I'm also curious, where does this need come from? Is this how the network team has things laid out (I'm guessing so)?
I found the case I had with another customer. In each retail location machines were assigned a special IP based on the machine type (point of sale, kiosk, employee, or other). We could look at that IP and determine if it was assigned based on a certain modulo for the octets. In this case, we created one rule which looked at the 3rd octet and depending on the modulo output it was one of the four machine types. In our case, we took the 3rd octet and used the modulo against 4. So 68 modulo 4 would give us 0. 69 modulo 4 would give us 1.
Here is what the rule looks like:
I feel like I could be very wrong about this helping, or it could be another way to approach the problem. I also attached the ruleset which includes this rule. In the above example, to change which octet is evaluated we need to change the list pointer (the client IP is broken into a string list, then we pick what item in the list to look at), so 3rd octet is in the 0,1,2nd entry.
To verbalize the event in the rule (start from the inner most component and work your way out):
1. Convert IP to a string
2. Convert IP string to a list of strings (using period as a separator)
3. Pick an element in the IP string list (192,168,1,1 -- each number is an element in the list, in this case we picked the 3rd element/octet which is 2)
4. Convert that string to a number
5. Modulo that number against another number, in this case 4
6. Profit! Or.. store the value for later use.
This does seem to help with your 3rd octet (you'd be evaluating 3rd octet modulo 8, looking for 0), but I'm not sure how to tackle the second octet.
Had to brush up on my math skillz for this one...
Best Regards,
Jon
edit: clarification, spelling
Here is what I came up with for that specific example you gave, this would cover it (I'm pretty sure).
Is that the only one you have or do you have 40 wildcard subnet masks?
Best Regards,
Jon
Edit, needed to change ORs to ANDs
Jon,
Would it be possible to do a Range on that last octet check? In other words in this example could we look for 25-30 as the last octet instead of just 25?
Thanks!
MattS...
Hey Matt,
The above rule has an example of that exact thing for checking a range except I did it for the second octet.
2nd octet >= 0 AND 2nd octet <= 63
I remembered that previous scenario, so once I found the rules it was pretty easy to piece my memory back together. What would your two entries be if we had the wildcard subnet mask functionality? Or more directly, what would the rule look like with your desired end result?
Client IP is in wildcard subnet list [0.63.248.0, x.x.x.x, y.y.y.y] ? What would x.x.x.x and y.y.y.y be? Would there be more?
It almost seems like this problem might be solved by first determining the location, then the machine type, and then interrogate further to see if it needs internet access. I havent gotten to think this last part through though. Once you have all those variables you put them together to decide if they should have access or not.
Best Regards,
Jon
Jon,
How would you do the modulo math on this one?
IP Address: | 10.0.2.65 |
Wildcard mask: 0.63.248.0
First Octet Match(es)
10
Second Octet Match(es)
0- 63
Third Octet Match(es)
2
10
18
26
34
42
50
58
66
74
82
90
98
106
114
122
130
138
146
154
162
170
178
186
194
202
210
218
226
234
242
250
Fourth Octet Match(es)
65
Jon,
You're exactly correct on where this need comes from. We have a little over 1200 retail stores and each store is given a /21 network. That /21 network is chopped up a certain way into multiple smaller subnets. Within each subnet specific machine types (POS, kiosks, customer service PCs, etc) have specific last octets. So we can tell what type of system it is by the IP address consistently across stores. The problem is that we may have a subnet with 10 PCs in it but only 2 (not contiguous IPs) need access to the Internet. So we end up having to make an IP list with over 2400 /32 entries to cover just these 2 machines in each store. We would be able to do it with 2 entries if we had the wildcard subnet flexibility.
I'm still trying to decode your solution but it will likely work too. I really appreciate you devoting that much time and effort to it!
Thanks!
MattS...
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA