Query ELSA for string from URL?

432 views
Skip to first unread message

Jeff

unread,
Oct 29, 2015, 1:04:49 PM10/29/15
to security-onion
Is it possible to search ELSA for strings in URLs not comprising the whole URL?

I wanted to do a search for possible passwords in URLs from my Bro logs.

I was able to do this on the command line:

user@securityonion:/nsm/bro/logs$ zgrep -r "password=" .

which took a while but ultimately resulted in a few hits (note I installed zutils to allow zgrep to search recursively)

I'd like to perform the same query in ELSA, but I'm not able to figure out how to do so.

I thought I could use the grep transform, but it doesn't seem to be working.

The query: class=BRO_HTTP "-" | grep(password=)

returns no results, but a grep on the command line finds the entries.

I also tried the query without the trailing = sign to see if that was throwing it off, but it doesn't seem to make a difference.

Jeff

Wes

unread,
Oct 29, 2015, 1:13:24 PM10/29/15
to security-onion
Jeff,

Per the ELSA documentation:

"Keywords
Keywords are the words indexed and available for searching. Note that you cannot search for a partial keyword, it must be complete. Also note that keywords are comprised of not only alpha-numeric words, but also hyphens, dots, and at-signs. So, these are all complete keywords:

1.1.1.1
this-example.com
m...@example.com
mal.form.ed-.ip.addr

Searches for 1.1 or example.com or ip.addr would all fail to find these terms. If you need to perform searches on partial keywords, you need to switch from an index query to an archive query by clicking the "Index" pull-down menu and choosing archive. Keep in mind that archive searches are slow, so narrowing down a time period will help significantly."

I would try having a look here:

https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#Syntax

It appears you can only do partial keyword searches with archive queries.

Thanks,
Wes

Doug Burks

unread,
Oct 29, 2015, 2:12:46 PM10/29/15
to securit...@googlegroups.com
Hi Jeff,

Please note that ELSA's grep requires two parameters separated by a comma:
1. the field that you want to search
AND
2. what you want to search for

Please try the following:
class=BRO_HTTP "-" | grep(uri,password)

If you want to search ALL fields instead of just uri, you can use a
dot like this:
class=BRO_HTTP "-" | grep(.,password)


--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Reply all
Reply to author
Forward
0 new messages