There are several extensions that Sentinel has implemented for searching on IP addresses. Specifically, there are a number of convenient ways to specify IP address ranges. These are explained in the following sections:
Sentinel supports the Classless Inter-Domain Routing (CIDR) notation as a search value for IP address fields such as sip (initiator IP) and dip (target IP) for specifying an IP address range. The notation uses a combination of an IP address and a mask, as follows:
"xxx.xxx.xxx.xxx/n"
In this notation, n is the number of high order bits in the value to match. For example, consider the following query:
sip:"10.0.0.0/24"
This query returns events whose sip field is an IPv4 address ranging from 10.0.0.0 to 10.0.0.255.
The same notation works for IPv6 addresses. For example, consider the following query:
sip:"2001:DB8::/48"
This query returns events whose sip field is an IPv6 address ranging from 2001:DB8:: to 2001:DB8:0:FFFF:FFFF:FFFF:FFFF:FFFF.
You can use only the asterisk character (*) in the IP address search values to specify ranges of IP addresses. You cannot use the question mark (?) character.
In IPv4 addresses, an asterisk (*) can be used at any of the positions in the quad format. In IPv6 addresses, an asterisk (*) can be used between colons to specify a 16-bit segment. For example, all of the following queries are valid on the sip field:
sip:10.*.80.16
sip:10.02.*.*
sip:10.*.80.*
sip:"CAFE:*::FEED"
sip:"CAFE:*:FADE:*::FEED"
If an asterisk (*) is used in one of the quad positions in an IPv4 address or between colons in an IPv6 address, it cannot be combined with other digits. For example, all of the following queries are invalid:
sip:10.*7.80.16
sip:10.10*.80.16
sip:"CAFE:FA*::FEED"
sip:"CAFE:*DE::FEED"
Because the question mark (?) is not allowed, the following queries are invalid:
sip:10.10?.80.16
sip:10.?.80.16
sip:"CAFE:FA??::FEED"
sip:"CAFE:??DE::FEED"