CB Response: ipaddr range process search fails to return expected results
Article ID: 292398
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When using the ipaddr range search field (example: ipaddr:[0.0.0.0 TO 170.3.43.254], or a negated -ipaddr:[0.0.0.0 TO 170.3.43.254]), the results returned are incorrect.
Environment
- EDR Server: 6.x
- EDR Server 7.3.0 and lower
- Hosted EDR Server: 6.x
- Hosted EDR Server: 7.3.0 and lower
Cause
This is due to an issue with the query parser not interpreting integer values correctly.
Resolution
- This issue is fixed in EDR Server version 7.4.0, internally tracked in CB-30742. This version is now GA.
- If upgrade is not possible, as a workaround, customers may split the ipaddr range into parts that work by avoiding passing 128.0.0.0 in the 'to' value in their range.
- Here are a couple examples to illustrate two possible scenarios; 1 where the ipaddr attempting to target crosses over the bit flip value (128.0.0.0), and 1 that does not. Note: these may not be realistic queries, but are used to illustrate the issue and workaround:
- When targeting an IP of 192.168.138.143, which is greater than or equal to 128.0.0.0 (after the bit flip happens):
- (ipaddr:[0.0.0.0 TO 255.255.255.255]) = no results
- (ipaddr:[0.0.0.0 TO 192.168.138.143]) = no results
- (ipaddr:[128.0.0.0 TO 255.255.255.255]) = results
- (ipaddr:[128.0.0.0 TO 192.168.138.143]) = results
- (ipaddr:[0.0.0.0 TO 127.255.255.255] OR ipaddr:[128.0.0.0 TO 255.255.255.255) = results
- (ipaddr:[0.0.0.0 TO 127.255.255.255] OR ipaddr:[128.0.0.0 TO 192.168.138.143]) = results
- When targeting an IP of 51.105.208.173, which is less than or equal to 127.255.255.255 (before the bit flip happens):
- (ipaddr:[0.0.0.0 TO 255.255.255.255]) = no results
- (ipaddr:[0.0.0.0 TO 51.105.208.173]) = results
- (ipaddr:[0.0.0.0 TO 127.255.255.255]) = results
- (ipaddr:[0.0.0.0 TO 128.0.0.0]) = no results
- (ipaddr:[0.0.0.0 TO 127.255.255.255] OR ipaddr:[128.0.0.0 TO 255.255.255.255]) = results
- When targeting an IP of 192.168.138.143, which is greater than or equal to 128.0.0.0 (after the bit flip happens):
- Here are a couple examples to illustrate two possible scenarios; 1 where the ipaddr attempting to target crosses over the bit flip value (128.0.0.0), and 1 that does not. Note: these may not be realistic queries, but are used to illustrate the issue and workaround:
Additional Information
- This occurs when ipaddr range queries cross from positive to negative values. As an example, ipaddr:[0.0.0.0 TO 169.254.169.254] translates to ipaddr:[0 TO \-1442928130]. When the 'to' part of the range query is a negative integer, and the 'from' part is a positive integer, the IPv4 range query will not return the relevant result documents. Any IPv4 range query that crosses from positive to negative values (in integer representation) will show this issue.
- The only time an IPv4 range query crosses from positive to negative values is when the 'to' IPv4 address is equal to or greater than 128.0.0.0 (assuming the 'from' is less than the 'to').
- ipaddr:[0.0.0.0 TO 127.255.255.255] converts to ipaddr:[0 TO 2147483647]
- ipaddr:[0.0.0.0 TO 128.0.0.0] converts to ipaddr:[0 TO -2147483648]
- ipaddr:[128.0.0.0 TO 255.255.255.255] converts to ipaddr:[-2147483648 TO -1]
Feedback
Yes
No
Powered by
