convert decimal value to IP address

Follow
Avatar
giuseppe aloisi

Hello folks, 

I'm using a SIEM tool provided by the vendor absolute, part of the values they provide us are IP addresses in a decimal format. 

On Sumo's website, I was able to find https://help.sumologic.com/05Search/Search-Query-Language/Search-Operators/ipv4ToNumber which converts a number to decimal however, it does not to the inverse.

 

Does anyone know a way to convert decimal to IP in sumo logic?

2

Comments

1 comment

Sort by Date Votes
  • Avatar
    Log -o- Music
    • Edited

    Edit 2020-05-18: I updated my answer since I misread your question (I thought you were looking for an IP to number function, but it seems you want the opposite).

    Note: this is just a PoC provided "as is", you should test this before using it in your environment.

    Manually convert an integer IP to its base-256 dotted-decimal form

    Algorithm

    divide the integer number by 256 to the power of n, where n is:

    • 3 for the most significant byte --> byte_4
    • 2 for the 3rd byte --> byte_3
    • 1 for the 2nd byte --> byte_2

    get remainder of the least significant byte divided by 256 (modulo) --> byte_1
    concatenate byte_4, byte_3, byte_2, byte_1 with dots between them

    Example

    ip = 168496141
    byte_4 = int(ip/256^3 % 256) <=> int(ip/16777216 % 256) <=> int(10.0431526303) <=> 10
    byte_3 = int(ip/256^2 % 256) <=> int(ip/65536 % 256) <=> int(11.0470733643) <=> 11
    byte_2 = int(ip/256^1 % 256) <=> int(ip/256 % 256) <=> int(12.05078125) <=> 12
    byte_1 = int(ip/256^0 % 256) <=> int(ip % 256) <=> int(13) <=> 13
    ip_str = $byte_4 + "." + $byte_3 + "." + $byte_2 + "." + $byte_1 <=> 10.11.12.13

    Sumo Logic Query

    Assuming you have an IPv4 in integer representation in a field named "ip_int":

    | parse " integer_ip=* " as ip_int
    | concat(toString(int(ip/256/256/256 % 256)),".",toString(int(ip/256/256 % 256)),".",toString(int(ip/256 % 256)),".",toString(int(ip % 256))) as ip_string
    | fields ip_str, ip_int

    or a bit cleaner with pow() and format():

    | parse " integer_ip=* " as ip_int
    | format("%s.%s.%s.%s", int(ip/pow(256,3) % 256), int(ip/pow(256,2) % 256), int(ip/pow(256,1) % 256), int(ip % pow(256,0))) as ip_str
    | fields ip_str, ip_int


    Convert an IP address to its integer representation with the built-in ipv4ToNumber() function

     

    Sumo Logic Query

    Assuming you have an IPv4 address in a field named "ip_str":

    | parse " ip=* " as ip_string
    | ipv4ToNumber(ip) as ip_num
    | fields ip_string, ip_num

    Manually convert IPv4 to a number

    Algorithm

    multiply bytes by 256 to the power of n, where n is:

    • 3 for the most significant byte --> byte_4
    • 2 for the 3rd byte --> byte_3
    • 1 for the 2nd byte --> byte_2
    • 0 for the least significant byte -> byte_1

    add the results.

    Example

    10.11.12.13
    <=> 10*(256^3) + 11*(256^2) + 12*(256^1) + 13*(256^0)
    <=> 167772160 + 720896 + 3072 + 13
    <=> 168496141

    Sumo Logic Query

    Assuming you have an IPv4 address in a field named "ip_str":

    | parse field=ip_str "*.*.*.*" as byte_4, byte_3, byte_2, byte_1    // Explode IP into its bytes
    | byte_4 * pow(256,3) + byte_3 * pow(256,2) + byte_2 * pow(256,1) + byte_1 * pow(256,0) as int_ip // Math
    | fields -byte_4, byte_3, byte_2, byte_1    // Mask bytes_* fields (optional)

     

    Hope this helps.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post