Re: [security-onion] elsa search question

[Matt Gregory]

Hi Jeff,

I don't believe you can directly query for a subnet mask, but you can limit the results to a range like this:

class=BRO_HTTP +BRO_HTTP.srcip>192.168.1.0 +BRO_HTTP.srcip<192.168.1.255

The '+' acts like an 'and'.  See also:

http://code.google.com/p/security-onion/wiki/ELSAQueryTips

http://code.google.com/p/enterprise-log-search-and-archive/wiki/QueryLibrary

http://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#Query_examples

Matt

On Wed, Apr 16, 2014 at 2:47 PM, Jeff Nucciarone <jeff.nu...@gmail.com> wrote:

I think I'm having one of those moments when something simple is slipping my mind....

I want to do a search on all http traffic from one of my subnets and group the output by destination ip.

How do I limit ELSA searches by subnet mask?

something along the lines of:

class=BRO_HTTP 10.1.1.0/22 groupby:dstip

Since 10.1.1.0/22 doesn't match anything I get 0 results. How do I limit searches based on the srcip field?

Thanks,

--Jeff

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

[chris izatt]

I use something like this to search multiple subnets ("10.2.x.x" or "10.3.x.x")

works for me.