We have updated our Terms of Service, Code of Conduct, and Addendum.

I am needing to modify a default filter in a pack,

Mick Shanaghy
Mick Shanaghy Posts: 3 mod
in General Discussions

So, I'm finding myself needing to modify a default filter in a pack, which currently says: ```C.Net.isPrivate(srcaddr) && C.Net.isPrivate(dstaddr) && action=='ACCEPT'```

Answers

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod

    hate to tell you, but the http://C.Net|C.Net function is expensive. Regex might be a little lighter, beleive it or not.

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod

    specifically if you have a high volume of data you're checking as to whether it's RFC1918 or not

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod

    I cratered Stream until we figured that out while I was checking the same thing for Palo Alto logs (lots of big logs with lots of IPs).

  • Mick Shanaghy
    Mick Shanaghy Posts: 3 mod

    my new subnet falls on clean octet boundaries, so that shouldn't be too hard

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod

    I'd move the initial check to your pre-process pipeline/pack and create a temporary boolean variable to use in your filter.

  • Raanan Dagan
    Raanan Dagan Posts: 101 mod

    something like, `__isPrivate==true` kind of thing

Categories