From 1d870eb0b1b16cdfe25c4100a13da6057cbcfa29 Mon Sep 17 00:00:00 2001 From: tkatzir Date: Thu, 7 Mar 2024 20:37:22 +0200 Subject: [PATCH] IP CIDR Ranges IPv4 IPv6 Mismatches (#33246) --- .../ReleaseNotes/1_2_63.md | 6 +++++ .../Scripts/IsInCidrRanges/IsInCidrRanges.js | 24 ++++++++++++++----- .../Scripts/IsInCidrRanges/IsInCidrRanges.yml | 6 ++--- .../Scripts/IsInCidrRanges/README.md | 8 +++---- .../FiltersAndTransformers/pack_metadata.json | 2 +- 5 files changed, 32 insertions(+), 14 deletions(-) create mode 100644 Packs/FiltersAndTransformers/ReleaseNotes/1_2_63.md diff --git a/Packs/FiltersAndTransformers/ReleaseNotes/1_2_63.md b/Packs/FiltersAndTransformers/ReleaseNotes/1_2_63.md new file mode 100644 index 000000000000..df3976163b94 --- /dev/null +++ b/Packs/FiltersAndTransformers/ReleaseNotes/1_2_63.md @@ -0,0 +1,6 @@ + +#### Scripts + +##### IsInCidrRanges + +- Fixed an issue where using different protocol versions (IPv4 and IPv6), which could return erroneous results. diff --git a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js index 1faa36551a5b..6747558a2374 100644 --- a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js +++ b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.js @@ -71,24 +71,31 @@ function validateCIDR(cidrRange) { return true; // CIDR range is well-formed } +function getCIDRNetworkAddress(cidrRange) { + return cidrRange.split('/')[0] +} + +function getCIDRSubnetMask(cidrRange) { + return cidrRange.split('/')[1] +} + function isIPInCIDR(ipAddress, cidrRange) { if (!validateCIDR(cidrRange)) { return false; } - var parts = cidrRange.split('/'); - var networkAddress = parts[0]; - var subnetMask = parts[1]; + var networkAddress = getCIDRNetworkAddress(cidrRange); + var cidrSubnetMask = getCIDRSubnetMask(cidrRange); // Convert IP address and network address to binary var ipBinary = ipToBinary(ipAddress); var networkBinary = ipToBinary(networkAddress); // Get the network part of the IP address based on the subnet mask - var networkPart = ipBinary.slice(0, parseInt(subnetMask, 10)); + var networkPart = ipBinary.slice(0, parseInt(cidrSubnetMask, 10)); // Check if the network parts match - return networkPart === networkBinary.slice(0, parseInt(subnetMask, 10)); + return networkPart === networkBinary.slice(0, parseInt(cidrSubnetMask, 10)); } function isIPInAnyCIDR(ipAddresses, cidrRanges) { @@ -98,7 +105,12 @@ for (let i = 0; i < ipAddresses.length; i++) { isInRange = false; for (let j = 0; j < cidrRanges.length; j++) { - if (isIPInCIDR(ipAddresses[i], cidrRanges[j])) { + + // Mismatches are always false + if ((!isIPv6(ipAddresses[i]) && isIPv6(getCIDRNetworkAddress(cidrRanges[j]))) + || ( isIPv6(ipAddresses[i]) && !isIPv6(getCIDRNetworkAddress(cidrRanges[j])))) { + results[i] = 'False'; + } else if (isIPInCIDR(ipAddresses[i], cidrRanges[j])) { isInRange = true; results[i] = 'True'; break; diff --git a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.yml b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.yml index 05b642768edd..62d18789c5d7 100644 --- a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.yml +++ b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/IsInCidrRanges.yml @@ -6,17 +6,17 @@ script: '' type: javascript tags: - filter -comment: Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested. +comment: Determines whether an IPv4 or IPv6 address is contained in at least one of the comma-delimited CIDR ranges. Multiple IPv4/IPv6 addresses can be passed comma-delimited and each will be tested. A mix of IPv4 and IPv6 addresses will always return false. enabled: true args: - name: left required: true isArray: true - description: The IPv4/IPv6 address (or comma-delimited addresses) to check. + description: A comma-separated list of IPv4 or IPv6 addresses to search for. - name: right required: true isArray: true - description: A comma-delimited list of IPv4/IPv6 ranges in CIDR notation against which to match. + description: A comma-separated list of IPv4 or IPv6 ranges in CIDR notation against which to match. scripttarget: 0 runas: DBotWeakRole tests: diff --git a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/README.md b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/README.md index 4e3ca2b6eeaf..dcbe1b07c353 100644 --- a/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/README.md +++ b/Packs/FiltersAndTransformers/Scripts/IsInCidrRanges/README.md @@ -1,5 +1,5 @@ -Determines whether an IPv4 address is in part of at least one of the comma-delimited CIDR ranges given. Multiple IPv4 -addresses can be passed as comma-delimited list to be checked. +Determines whether an IPv4 or IPv6 address is in part of at least one of the comma-delimited CIDR ranges given. Multiple IPv4/IPv6 +addresses can be passed as comma-delimited list to be checked. A mix of IPv4 and IPv6 addresses will always return false. ## Script Data @@ -17,5 +17,5 @@ addresses can be passed as comma-delimited list to be checked. | **Argument Name** | **Description** | | --- | --- | -| left | The IPv4 address to search for. | -| right | A comma-separated list of IPv4 ranges in CIDR notation against which to match. | +| left | The IPv4 or IPv6 address to search for. | +| right | A comma-separated list of IPv4 or IPv6 ranges in CIDR notation against which to match. | diff --git a/Packs/FiltersAndTransformers/pack_metadata.json b/Packs/FiltersAndTransformers/pack_metadata.json index ef6253b5a779..ede69cc60683 100644 --- a/Packs/FiltersAndTransformers/pack_metadata.json +++ b/Packs/FiltersAndTransformers/pack_metadata.json @@ -2,7 +2,7 @@ "name": "Filters And Transformers", "description": "Frequently used filters and transformers pack.", "support": "xsoar", - "currentVersion": "1.2.62", + "currentVersion": "1.2.63", "author": "Cortex XSOAR", "url": "https://www.paloaltonetworks.com/cortex", "email": "",