CIDRE is a high-performance C tool for analyzing log files and extracting IP addresses, mapping them to their CIDR network blocks and countries. It downloads CIDR zone data from ipdeny.com and provides statistics about network traffic patterns.
This is a C port of an original Python tool by govlog (Christopher Amiaud). The translation to C was partially done with the help of Claude Code by Anthropic.
The web has become a crowded place. Every day, countless automated agents crawl websites for various purposes: search engine indexers, AI companies harvesting data to train large language models, security researchers, and unfortunately, malicious actors engaged in credential stuffing, vulnerability scanning, or content theft.
In this context, real-time CIDR-based log analysis has become essential for system administrators. Understanding not just individual IPs, but entire network blocks and their geographic origin, helps distinguish legitimate traffic from aggressive scrapers or coordinated attacks. CIDRE gives you instant visibility into who is accessing your infrastructure and at what scale.
CIDRE doesn't care about your log format. Apache, nginx, HAProxy, auth.log, mail.log, custom application logs - it works with all of them. The tool automatically detects and extracts both IPv4 and IPv6 addresses from any text input, without requiring format configuration or parsing rules.
This means you can monitor multiple heterogeneous log sources simultaneously:
# Monitor all your logs at once
cidre -f /var/log/apache2/*log /var/log/nginx/*.log /var/log/auth.log /var/log/mail.log
# Or use bash wildcards
cidre -f /var/log/*/*access*.log
# Analyze everything in a directory
cidre /var/log/httpd/*Whether your logs contain 192.168.1.1, 2001:db8::1, or both mixed together, CIDRE handles them transparently.
CIDRE is free software distributed under the GNU General Public License v2. See https://www.gnu.org/licenses/gpl-2.0 for details.
cc -O3 -pipe -Wall -Wextra -Wpedantic -std=c11 -D_GNU_SOURCE cidre.c -o cidremusl-gcc -static -O3 -pipe -Wall -Wextra -Wpedantic -std=c11 -D_GNU_SOURCE cidre.c -o cidre- C compiler (gcc or clang)
curlorwget(for downloading zone files)tar(for extraction)
cidre [options] LOGFILE [LOGFILE...]
| Option | Description |
|---|---|
-f, --follow |
Follow log files like tail -f (live monitoring mode) |
-l, --limit N |
Number of top results to show (default: 10 live, 20 batch) |
-v, --verbose |
Verbose output |
--no-history |
Skip reading existing log content (live mode only) |
--no-whois |
Skip WHOIS lookups for organization names |
--ignore-pattern REGEX |
Ignore lines matching this POSIX extended regex |
--grep-pattern REGEX |
Only process lines matching this POSIX extended regex |
--update-zone |
Force re-download CIDR zone files from ipdeny.com |
-h, --help |
Show help message |
# Analyze a single log file
cidre /var/log/apache/access.log
# Live monitoring of multiple log files
cidre -f /var/log/apache/access.log /var/log/haproxy.log
# Live monitoring with custom result limit
cidre -f -l 5 /var/log/apache/access.log
# Live monitoring without processing existing content
cidre -f --no-history /var/log/apache/*.log
# Filter out bot traffic
cidre --ignore-pattern "(bot|crawler)" /var/log/apache/access.log
# Only analyze API requests
cidre --grep-pattern "GET /api" /var/log/apache/access.log
# Analyze nginx logs without WHOIS lookups (faster)
cidre --no-whois /var/log/nginx/access.log
# Force update of CIDR zone files before analysis
cidre --update-zone /var/log/apache/access.log
# Monitor auth failures in real-time
cidre -f --grep-pattern "Failed password" /var/log/auth.log
# Analyze multiple log files at once
cidre /var/log/apache/access.log.1 /var/log/apache/access.log.2 /var/log/apache/access.log.3- Security monitoring: Identify suspicious traffic patterns, detect brute-force attacks by country
- Traffic analysis: Understand where your visitors come from geographically
- Abuse detection: Find CIDR blocks generating excessive requests
- Incident response: Quickly identify the origin of an attack
- Compliance reporting: Generate reports on traffic by country/region
$ cidre /var/log/apache/access.log
[*] Using existing CIDR database
[*] Loading CIDR database into memory...
[*] Loaded 187432 IPv4 networks, 98215 IPv6 networks
[*] Analyzing /var/log/apache/access.log...
Processed 524891 lines
================================================================================
CIDR ANALYSIS REPORT
================================================================================
Start: 2025-01-08 14:23:01 | Stop: 2025-01-08 14:23:08 | Duration: 00:00:07
Requests/sec: 74984.43 | Avg hits/IP: 12.34 | Total requests: 524891
================================================================================
[*] Looking up CIDR organizations (this may take a moment)...
Top CIDR Ranges by Requests:
--------------------------------------------------------------------------------
1. US 44.192.0.0/10 - 18432 hits ( 312 IPs) - Amazon Technologies Inc...
2. CN 223.104.0.0/12 - 12847 hits ( 891 IPs) - China Mobile
3. DE 185.220.100.0/22 - 8921 hits ( 47 IPs) - Tor Exit Nodes
4. RU 5.188.0.0/16 - 6543 hits ( 234 IPs) - Petersburg Internet Net...
5. FR 92.184.96.0/19 - 4521 hits ( 156 IPs) - Free SAS
... and 1847 more CIDR ranges
Top Countries by Requests:
--------------------------------------------------------------------------------
1. US - 89432 hits
2. CN - 45621 hits
3. DE - 23456 hits
4. RU - 18234 hits
5. FR - 12453 hits
... and 87 more countries
Top IPs by Requests:
--------------------------------------------------------------------------------
1. US 44.192.45.123 - 4521 hits
2. CN 223.104.12.89 - 3892 hits
3. DE 185.220.101.45 - 2341 hits
4. RU 5.188.62.214 - 1923 hits
5. FR 92.184.112.78 - 1245 hits
... and 42567 more IPs
Unknown IPs (not in CIDR database): 234
--------------------------------------------------------------------------------
10.0.0.1
192.168.1.1
172.16.0.5
... and 231 more
================================================================================
$ cidre -f -l 5 /var/log/apache/access.log
[*] Starting live monitor for 1 file(s)...
[*] Reading initial content (use --no-history to skip)...
[*] Initial content loaded. Starting live monitor...
================================================================================
CIDRE Live Monitor - 2025-01-08 14:25:43
================================================================================
Start: --:--:-- | Uptime: 00:05:23 | Req/s: 42.31 | Avg hits/IP: 8.92
Top 5 CIDR Ranges (Total: 13587 hits)
--------------------------------------------------------------------------------
1. US 44.192.0.0/10 2341 ( 156 IPs) 17.2%
2. CN 223.104.0.0/12 1892 ( 234 IPs) 13.9%
3. DE 185.220.100.0/22 987 ( 23 IPs) 7.3%
4. RU 5.188.0.0/16 654 ( 45 IPs) 4.8%
5. FR 92.184.96.0/19 432 ( 67 IPs) 3.2%
... 234 more ranges 7281 (53.6%)
Top 5 Countries
--------------------------------------------------------------------------------
1. US 4532 (33.4%)
2. CN 2891 (21.3%)
3. DE 1654 (12.2%)
4. RU 987 ( 7.3%)
5. FR 654 ( 4.8%)
... 34 more 2869 (21.1%)
Top 5 IPs
--------------------------------------------------------------------------------
1. US 44.192.45.123 234 ( 1.7%)
2. CN 223.104.12.89 198 ( 1.5%)
3. DE 185.220.101.45 156 ( 1.1%)
4. RU 5.188.62.214 123 ( 0.9%)
5. FR 92.184.112.78 98 ( 0.7%)
... 1523 more IPs 12778 (94.0%)
--------------------------------------------------------------------------------
Total hits: 13587 | Unique IPs: 1528 | Unknown IPs: 12 | Countries: 39
================================================================================
Press Ctrl+C to stop...
All data is cached in ~/.cache/cidre/:
- IPv4/IPv6 zone files from ipdeny.com
- WHOIS lookup cache (
whois.cache)
- govlog (Christopher Amiaud) - Original Python tool
- Partially translated to C with the help of Claude Code by Anthropic