security_content/macros/non_public_ip_blocks.yml at develop · splunk/security_content · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
definition: (
  "10.0.0.0/8",
  "172.16.0.0/12",
  "192.168.0.0/16",
  "100.64.0.0/10",
  "127.0.0.0/8",
  "::1",
  "169.254.0.0/16",
  "192.0.0.0/24",
  "192.0.0.0/29",
  "192.0.0.8/32",
  "192.0.0.9/32",
  "192.0.0.10/32",
  "192.0.0.170/32",
  "192.0.0.171/32",
  "192.0.2.0/24",
  "198.51.100.0/24",
  "203.0.113.0/24",
  "192.31.196.0/24",
  "192.52.193.0/24",
  "192.88.99.0/24",
  "192.175.48.0/24",
  "198.18.0.0/15",
  "224.0.0.0/4",
  "240.0.0.0/4"
  )
description: |
  This macro defines non-public (private, reserved, or special-use) IPv4 and IPv6 address blocks as per RFC 1918, RFC 6598, RFC 5737, RFC 3927, RFC 5156, RFC 2544, and others.
  These include private LAN, loopback, link-local, reserved multicast, documentation, and certain experimental ranges.
  It can be used to filter out internal or non-routable IP addresses in detection searches and analytics.
  Update the macro definition if your environment includes unique non-public blocks or excludes any for your specific use case.
name: non_public_ip_blocks