Question

I am needing to modify a default filter in a pack,

Forum|Forum|8 months ago
March 11, 2025
6 replies
3 views

Mick Shanaghy
Employee
2 replies

So, I'm finding myself needing to modify a default filter in a pack, which currently says:```C.Net.isPrivate(srcaddr) && C.Net.isPrivate(dstaddr) && action=='ACCEPT'```

Raanan Dagan
Employee
100 replies
Forum|Forum|8 months ago
March 11, 2025

hate to tell you, but the http://C.Net|C.Net function is expensive. Regex might be a little lighter, beleive it or not.

Raanan Dagan
Employee
100 replies
Forum|Forum|8 months ago
March 11, 2025

specifically if you have a high volume of data you're checking as to whether it's RFC1918 or not

Raanan Dagan
Employee
100 replies
Forum|Forum|8 months ago
March 11, 2025

I cratered Stream until we figured that out while I was checking the same thing for Palo Alto logs (lots of big logs with lots of IPs).

M

Mick Shanaghy
Author
Employee
2 replies
Forum|Forum|8 months ago
March 11, 2025

my new subnet falls on clean octet boundaries, so that shouldn't be too hard

Raanan Dagan
Employee
100 replies
Forum|Forum|8 months ago
March 11, 2025

I'd move the initial check to your pre-process pipeline/pack and create a temporary boolean variable to use in your filter.

Raanan Dagan
Employee
100 replies
Forum|Forum|8 months ago
March 11, 2025

something like, `__isPrivate==true` kind of thing

Sign up

Using your Cribl.Cloud account

Login to the community

Using your Cribl.Cloud account

Scanning file for viruses.

This file cannot be downloaded