Capture all HTTP traffic except from one IP range

triggers

#1

Hello,

I’m trying to write a trigger that will only capture HTTP traffic if the traffic does not come from a specific IP range. We receive security scans monthly and it creates unnecessary noise/alerts. I would like to capture all the traffic except that which comes from the security team’s source IP range.

I’ve reviewed the trigger API documentation however I’m not following how would I go about writing it.

We use the following HTTP_RESPONSE to capture application metrics for company.aspx and I’m guessing I would need to use a HTTP_REQUEST condition to start with the IP range.

var Path = "/company.aspx";

if (HTTP.uri.toLowerCase().indexOf(Path) > -1) {
Application(Path).commit();
    
}

Any help would be appreciated.

Thanks,

Charlie


#2

Hi Charlie,

You can access Flow.client.ipaddr within your existing HTTP_RESPONSE trigger. Matching subnets is easier than arbitrary ranges of IPs. For example, this code fragment matches anything on the 192.168/16 subnet and returns.

if (Flow.client.ipaddr.mask(16) == "192.168.0.0") {
    return;
}

Hope this helps!