A.6 IP Addresses Query

There are several extensions that Sentinel Log Manager has implemented for searching on IP addresses. Specifically, there are a number of convenient ways to specify IP address ranges. These are explained in the following sections:

A.6.1 CIDR Notation

Sentinel Log Manager supports the Classless Inter-Domain Routing (CIDR) notation as a search value for IP address fields such as sip (initiator IP) and dip (target IP) for specifying an IP address range. The notation uses a combination of an IP address and a mask, as follows:

xxx.xxx.xxx.xxx/n

In this notation, n is the number of high order bits in the value to match. For example, consider the following query:

sip:10.0.0.0/24

This query returns events whose sip field is an IPv4 address ranging from 10.0.0.0 to 10.0.0.255.

A.6.2 Wildcards in IP Addresses

You can use only the asterisk character (*) in the IP address search values to specify ranges of IP addresses. You cannot use the question mark (?) character.

In IPv4 addresses, an asterisk (*) can be used at any of the positions in the quad format. For example, all of the following queries are valid on the sip field:

sip:10.*.80.16 
sip:10.02.*.* 
sip:10.*.80.* 

If an asterisk (*) is used in one of the quad positions in an IPv4 address, it cannot be combined with other digits. For example, all of the following queries are invalid:

sip:10.*7.80.16
sip:10.10*.80.16 

Because the question mark (?) is not allowed, the following queries are invalid:

sip:10.10?.80.16 
sip:10.?.80.16