FortiSOAR Discussions
craig
New Contributor II

Playbook - divide IP address into Octets

Hi,

 

I am looking for the solution to provide a conditional check on the first octet of an ip address, to see if it is an internal network address starting with 10. That is, a 10.x.x.x network address.

 

Any suggestions?

 

 

Thanks in advance,

Craig

 

1 REPLY 1
swolf
Staff
Staff

Depends what you are wanting, a step, or just a filter.

 

The most robust method would be to simply use the Utility "Is IP in CIDR". You can pass it a single IP, or an array of IPs, and then define the subnet you want it to match. The nice advantage of that, is that it splits out the results into matched results and not matched results.

example3.pngexample4.png


Filter method? Plenty of options. You can start with the ipv4 filter:
{{ vars.ip | ipv4 | regex_search("^10\.\d+\.\d+\.\d+") }}

The ipv4 filter will filter out any non IPv4 addresses. The regex pattern will match anything starting with "10.". Because we've already filtered out whether its a private IP address, we shouldn't need to be that precise with the regex pattern.

Example:

example1.png

example2.png

 

You can also specify 'private' in the ipv4 filter, which would read as {{ "10.1.1.1" | ipv4('private') }}, to return only private IPv4 address. However, when it hits the regex_search it will error out for non-private addresses as it returns "null". You can fix that by going with an if statement: 
{% if "10.1.1.1" | ipv4('private') %}{{ "10.1.1.1" | regex_search("^10\.\d+\.\d+\.\d+") }}{% endif %}

 

There's also other things that we can do with filters such as ipsubnet, example:
{{ "10.1.1.1" | ipsubnet('8') }}
which will return "10.0.0.0/8" and you can match on that.

Or you can do a simple string split on the period, return the first element of the split list, and then match on the number, example:

{{ "10.1.1.1".split('.')[0] }} will return the 10, so:

{% if "10.1.1.1".split('.')[0] == "10" %}True{% else %}False{% endif %} will return True

 

Some methods are obviously faster than others, and work better with lists of IPs, so choose the method that works for you.