ELSA Queries in CIDR Notation

[LEON DINH]

Hello,

I was wondering if it was possible to search for multiple IP ranges using ELSA, preferably in CIDR notation. I am working on setting up multiple alerts for various different subnets.

Thanks,

L.D.

[Doug Burks]

Hi Leon,

Please see:
https://groups.google.com/d/topic/enterprise-log-search-and-archive/X0qbDUt6XAw/discussion

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks

[LEON DINH]

Thanks for your response! I've tried using macros but seem to run into the same problem as before- I cannot search for more than one IP range in one query and get a "conflicting terms" error.

[Doug Burks]

My guess is that you're getting the "conflicting terms" error because
search terms are AND'd by default. Have you tried inserting an
explicit OR between search terms?

On Wed, May 21, 2014 at 9:45 AM, LEON DINH <ld...@wisc.edu> wrote:
> Thanks for your response! I've tried using macros but seem to run into the same problem as before- I cannot search for more than one IP range in one query and get a "conflicting terms" error.
>

[chris izatt]

I use something like this to search multiple subnets ("10.2.x.x" or "10.3.3.x")