Stay organized with collections
Save and categorize content based on your preferences.
net.ip_in_range_cidr
net.ip_in_range_cidr(ipAddress, subnetworkRange)
Description
Returns true when the given IP address is within the specified subnetwork.
You can use YARA-L to search for UDM events across all of the IP addresses
within a subnetwork using the net.ip_in_range_cidr() statement.
Both IPv4 and IPv6 are supported.
To search across a range of IP addresses, specify an IP UDM field and a CIDR
range. YARA-L can handle both singular and repeating IP address fields.
To search across a range of IP addresses, specify an ip UDM field and a Classless Inter-Domain Routing (CIDR) range. YARA-L can handle both singular and repeating IP address fields.
Param data types
STRING, STRING
Return type
BOOL
Code samples
Example 1
IPv4 example:
net.ip_in_range_cidr($e.principal.ip, "192.0.2.0/24")
Example 2
IPv6 example:
net.ip_in_range_cidr($e.network.dhcp.yiaddr, "2001:db8::/32")
For an example rule using the net.ip_in_range_cidr()statement, see the example rule in Single Event within Range of IP Addresses.)
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-07-14 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-07-14 UTC."],[[["\u003cp\u003e\u003ccode\u003enet.ip_in_range_cidr()\u003c/code\u003e is a function used in YARA-L to determine if a given IP address falls within a specified subnetwork range.\u003c/p\u003e\n"],["\u003cp\u003eThis function is compatible with both IPv4 and IPv6 addresses, allowing for versatile network range checks.\u003c/p\u003e\n"],["\u003cp\u003eIt can be applied to singular and repeating IP address fields within Universal Data Model (UDM) events, facilitating broad searches.\u003c/p\u003e\n"],["\u003cp\u003eThe function takes two string parameters, the IP address and the CIDR subnetwork range, and returns a boolean value indicating whether the IP is within that range.\u003c/p\u003e\n"],["\u003cp\u003eThis function can be used within rules or searches, allowing for the scanning of IP ranges as per the examples given.\u003c/p\u003e\n"]]],[],null,["### net.ip_in_range_cidr\n\nSupported in: \n[Rules](/chronicle/docs/detection/default-rules) [Search](/chronicle/docs/investigation/udm-search) \n\n net.ip_in_range_cidr(ipAddress, subnetworkRange)\n\n#### Description\n\nReturns `true` when the given IP address is within the specified subnetwork.\n\nYou can use YARA-L to search for UDM events across all of the IP addresses\nwithin a subnetwork using the `net.ip_in_range_cidr()` statement.\nBoth IPv4 and IPv6 are supported.\n\nTo search across a range of IP addresses, specify an IP UDM field and a CIDR\nrange. YARA-L can handle both singular and repeating IP address fields.\n\nTo search across a range of IP addresses, specify an `ip` UDM field and a Classless Inter-Domain Routing (CIDR) range. YARA-L can handle both singular and repeating IP address fields.\n\n#### Param data types\n\n`STRING`, `STRING`\n\n#### Return type\n\n`BOOL`\n\n#### Code samples\n\n##### Example 1\n\nIPv4 example: \n\n net.ip_in_range_cidr($e.principal.ip, \"192.0.2.0/24\")\n\n##### Example 2\n\nIPv6 example: \n\n net.ip_in_range_cidr($e.network.dhcp.yiaddr, \"2001:db8::/32\")\n\nFor an example rule using the `net.ip_in_range_cidr()`statement, see the example rule in [Single Event within Range of IP Addresses](/chronicle/docs/detection/yara-l-2-0-overview#single_event_within_range_of_ip_addresses).)"]]
