Enricher - CIDR Expander

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.


Specifications

Enricher name

CIDR Expander

Supported observable types

  • ipv4-cidr

  • ipv6-cidr

Output

Enriches supported observable types.

Endpoint

  • N/A

Description

Expands a given CIDR block to its possible IP addresses.

Requirements

None

Set up enricher

This enricher can be run using its default settings.

You can modify the following settings for this enricher:

Required fields are marked with an asterisk (*).

Field

Description

Max IPV4 CIDR range*

Set to /24 by default.

Sets the maximum IP range that this enricher can expand.

Observables that set an IP range that is larger than this will only expand to the range set here.

Max IPV6 CIDR range*

Set to /120 by default.

Sets the maximum IP range that this enricher can expand.

Ignore failed expansions

Selected by default.

When selected, enricher does not show a Failed state when it is used to enrich CIDR observables with invalid CIDR blocks.

See Valid CIDR ranges.

To modify the enricher:

  1. Go to Data configuration images/download/attachments/86441145/robot.svg-x24.png > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More images/download/attachments/86441145/ellipsis-v.svg-x24.png > Edit.

  4. Make your changes.

  5. Click Save to store your changes.

Maximum number of results

All enrichers can produce a maximum of 50 observables or entities per run. Setting a range that would allow more than 50 results from the expansion would omit the 51st result onwards.

Valid CIDR ranges

The enricher can only expand ipv4-cidr and ipv6-cidr observables that are valid CIDR blocks.

By default, the enricher does not report failures when it is used to expand an invalid CIDR block. To have the enricher explicitly fail in this case, clear the Ignore failed expansions option when configuring the enricher.

Valid CIDR blocks must have their interface identifier/host bits set to an address on the network boundary defined by the netmask/CIDR prefix length. For example:

  • 10.11.12.0/30 is valid, and expands to 10.11.12.0 - 10.11.12.3.

  • The next valid CIDR block with the same netmask would be 10.11.12.4/30, which expands to 10.11.12.4 - 10.11.12.7.

  • 10.11.12.5/30 is an invalid CIDR block because its host bits are not on the bitwise boundary set by the netmask.

Default configuration

These are the default configuration parameters for the |provider| enricher:

Required fields are marked with an asterisk (*).

Field

Description

Name

Leave this as “CIDR Expander”. Set by default.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Observable types to enrich. By default, this is set to the observables supported by the enricher:

  • ipv4-cidr

  • ipv6-cidr

Enabled

Select to enable this enricher.

Max IPV4 CIDR range*

/24

Max IPV6 CIDR range*

/128

Ignore failed expansions

Selected by default.

SSL verification

Selected by default. Select to enable SSL verification.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.