Who rated this post

cancel
Showing results for 
Search instead for 
Did you mean: 
Sorin_Gogean
Advisor

Hey @Jonathan ,

So, I really don't see the problem here, you just need to format your JSON with two or more objects like (adjusted from sk167210😞

{
      "version": "1.0",     
      "description": "Generic Data Center file example",
      "objects": [
                          {
                               "name": "GOOD Object A name",
                               "id": "e7f18b60-f22d-4f42-8dc2-050490ecf6d5",
                               "description": "Example for IPv4 addresses",
                               "ranges": [
                                                     "91.198.174.192",
                                                     "20.0.0.0/24",                        
                                                     "10.1.1.2-10.1.1.10"
                               ]              
                          },
                          {
                                "name": "BAD Object B name",
                                "id": "a46f02e6-af56-48d2-8bfb-f9e8738f2bd0",
                                "description": "Example for IPv6 addresses",
                                "ranges": [
                                                     "2001:0db8:85a3:0000:0000:8a2e:0370:7334",
                                                     "0064:ff9b:0000:0000:0000:0000:1234:5678/96",
                                                     "2001:0db8:85a3:0000:0000:8a2e:2020:0-2001:0db8:85a3:0000:0000:8a2e:2020:5"                                        
                                ]
                          }
     ]
}

 

So with the "GOOD Object A name" you can do whatever GOOD permissions 😁, while with the "BAD Object B name" you block them or whatever. 

 

Now, if by "somehow mark specific IPs, so that even if they are added to the JSON file they will be ignored" you meant the other way, like to take action when the JSON is generated, for that you will have to perform it from the scripting/programming end where the JSON is generated.  We did smth like that as we're generating some JSON with BAD IP addresses (like SCAN, MALICIOUS, etc.) that our SIEM sees (and not only the SIEM), and just as a failsafe; we build a function that gets each IP address (or network) and compares it with the WHITELIST IPs and networks that we have defined, and if that is matching, it's not adding the IP or the network to the JSON (in order to be blocked) but it's notifying us in order to be aware that a IP of ours was added on the list that we use to generate the JSON. Hopefully it's understandable, if not let me know and I'll try to explain better. 
(Our JSON is with IP's or networks that we BLOCK)

 

Thank you,

 

View solution in original post

(1)
Who rated this post