Hello everybody,

I've been trying to use IPv6 in a correlation rule but without success.
I'm trying to get a range of IPv6 addresses to be included in my rule,
specifically the IP4to6 addresses: "2002::/16".

I've tried:

filter( e.SourceIP match subnet( 2002::/16 ) ) - with and without
quotation marks.
I've tried escaping the colons ( 2002\:\:/16 ).
I've tried the asterisk notation that will work in the search field (
2002:* )
I've tried putting all 254 IPv6 notations for the actual network I'm
trying to include in a Dynamic List and using e.Source inList IPv6_list.
I tried it with lowercase and with uppercase.
In every case the test returned zero hits.

In the end I settled for a regex, which seems to work:
filter( e.SourceIP match regex ( "2002:.*" ) )

Now there has to be a better way to do this, isn't there? What if i want
to include several IPv6 blocks and not just one continuous network?

Has anyone experience with this problem?


turgon2007's Profile: https://forums.netiq.com/member.php?userid=9632
View this thread: https://forums.netiq.com/showthread.php?t=54465