net.ip_in_range_cidr
Supported in:
net.ip_in_range_cidr(ipAddress, subnetworkRange)
Description
Returns true when the given IP address is within the specified subnetwork.
You can use YARA-L to search for UDM events across all of the IP addresses
within a subnetwork using the net.ip_in_range_cidr() statement.
Both IPv4 and IPv6 are supported.
To search across a range of IP addresses, specify an IP UDM field and a CIDR range. YARA-L can handle both singular and repeating IP address fields.
To search across a range of IP addresses, specify an ip UDM field and a Classless Inter-Domain Routing (CIDR) range. YARA-L can handle both singular and repeating IP address fields.
Param data types
STRING, STRING
Return type
BOOL
Code samples
Example 1
IPv4 example:
net.ip_in_range_cidr($e.principal.ip, "192.0.2.0/24")
Example 2
IPv6 example:
net.ip_in_range_cidr($e.network.dhcp.yiaddr, "2001:db8::/32")
For an example rule using the net.ip_in_range_cidr()statement, see the example rule in Single Event within Range of IP Addresses.)