Enricher - CIDR Expander
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
|
Specifications |
Enricher name |
CIDR Expander |
Supported observable types |
|
Output |
Enriches supported observable types. |
Endpoint |
|
Description |
Expands a given CIDR block to its possible IP addresses. |
Requirements
None
Set up enricher
This enricher can be run using its default settings.
You can modify the following settings for this enricher:
Required fields are marked with an asterisk (*).
Field |
Description |
Max IPV4 CIDR range* |
Set to /24 by default. Sets the maximum IP range that this enricher can expand. Observables that set an IP range that is larger than this will only expand to the range set here. |
Max IPV6 CIDR range* |
Set to /120 by default. Sets the maximum IP range that this enricher can expand. |
Ignore failed expansions |
Selected by default. When selected, enricher does not show a Failed state when it is used to enrich CIDR observables with invalid CIDR blocks. See Valid CIDR ranges. |
To modify the enricher:
Go to Data configuration > Enrichers.
Select the enricher from the displayed list.
Edit the enricher by selecting from the top right More > Edit.
Make your changes.
Click Save to store your changes.
Maximum number of results
All enrichers can produce a maximum of 50 observables or entities per run. Setting a range that would allow more than 50 results from the expansion would omit the 51st result onwards.
Valid CIDR ranges
The enricher can only expand ipv4-cidr and ipv6-cidr observables that are valid CIDR blocks.
By default, the enricher does not report failures when it is used to expand an invalid CIDR block. To have the enricher explicitly fail in this case, clear the Ignore failed expansions option when configuring the enricher.
Valid CIDR blocks must have their interface identifier/host bits set to an address on the network boundary defined by the netmask/CIDR prefix length. For example:
10.11.12.0/30 is valid, and expands to 10.11.12.0 - 10.11.12.3.
The next valid CIDR block with the same netmask would be 10.11.12.4/30, which expands to 10.11.12.4 - 10.11.12.7.
10.11.12.5/30 is an invalid CIDR block because its host bits are not on the bitwise boundary set by the netmask.
Default configuration
These are the default configuration parameters for the |provider| enricher:
Required fields are marked with an asterisk (*).
Field |
Description |
Name |
Leave this as “CIDR Expander”. Set by default. |
Override TLP |
Forces all entities and observables produced by this extension to inherit this TLP value. |
Description* |
Enter a description for this enricher. |
Cache validity (sec)* |
Set to 2592000 seconds (30 days) by default. |
Rate limit (per sec)* |
Set to 1000 seconds by default. |
Monthly execution cap (runs)* |
Set to 1000000 runs by default. |
Source reliability* |
Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System. |
Observable types* |
Observable types to enrich. By default, this is set to the observables supported by the enricher:
|
Enabled |
Select to enable this enricher. |
Max IPV4 CIDR range* |
/24 |
Max IPV6 CIDR range* |
/128 |
Ignore failed expansions |
Selected by default. |
SSL verification |
Selected by default. Select to enable SSL verification. |
Path to SSL certificate file |
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source. |