sguil.tk query builder getting past 'Click in the text box....'
274 views
Skip to first unread message
controlling chaos
Aug 29, 2014, 7:59:27 PM8/29/14
to securit...@googlegroups.com
OK, I know this is probably incredibly stupid and obvious, and google was not my friend on this. Not to mention probably an inappropriate question for this forum, but....
Yesterday there were a large number of HSRP events, and snort flagged them. So I'm trying to build an event query in sguil.tk to dig a bit deeper.
I'm in query builder. Select query type 'Events' is selected.
The text box says:
WHERE event.timestamp > '2014-08-22' AND <insert query here>
So I click (or highlight, I've tried both) in the <insert query here> space.
Then below that I select TABLES -> event -> Signature (var string) 255
If I move back up to the 'edit where clause1' box, and click on the 'LIKE' button, I get a complicated looking error box.
If I just click 'Submit' (which feels wrong, since there's nothing to submit yet) I get a 'Click in the text box you want to insert data into first'.
Tried lots of different combos. Googled all morning. No joy.
I'm sure it's something plainly intuitive and obvious to the casual observer, but I'm at a loss as to what to do next.
Help?
thx.
Yesterday there were a large number of HSRP events, and snort flagged them. So I'm trying to build an event query in sguil.tk to dig a bit deeper.
I'm in query builder. Select query type 'Events' is selected.
The text box says:
WHERE event.timestamp > '2014-08-22' AND <insert query here>
So I click (or highlight, I've tried both) in the <insert query here> space.
Then below that I select TABLES -> event -> Signature (var string) 255
If I move back up to the 'edit where clause1' box, and click on the 'LIKE' button, I get a complicated looking error box.
If I just click 'Submit' (which feels wrong, since there's nothing to submit yet) I get a 'Click in the text box you want to insert data into first'.
Tried lots of different combos. Googled all morning. No joy.
I'm sure it's something plainly intuitive and obvious to the casual observer, but I'm at a loss as to what to do next.
Help?
thx.
Doug Burks
Aug 30, 2014, 5:52:36 AM8/30/14
to securit...@googlegroups.com
Hi control-chaos,
How are you going into Query Builder? When I click Query --> Query
Builder, I do not get the "WHERE event.timestamp > '2014-08-22' AND
<insert query here>" part.
Can you provide screenshots?
You may also want to consider searching in ELSA if you have that enabled.
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
How are you going into Query Builder? When I click Query --> Query
Builder, I do not get the "WHERE event.timestamp > '2014-08-22' AND
<insert query here>" part.
Can you provide screenshots?
You may also want to consider searching in ELSA if you have that enabled.
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
controlling chaos
Aug 31, 2014, 3:02:15 PM8/31/14
to securit...@googlegroups.com
I just reread what you typed. I am not going into query builder from query-> query builder. I was getting there via query->query event table. It didn't cross my mind to go directly to query-> query builder (yeah, I know...).
Let me play with that a bit and I'll get back to you.
Let me play with that a bit and I'll get back to you.
Doug Burks
Sep 4, 2014, 7:48:35 AM9/4/14
to securit...@googlegroups.com
Yes, I'm able to duplicate this. Looks like a bug. Here are a few options:
- select TABLES -> event -> Signature (var string) 255 and then
*middle-click* in the "Where Clause" box. This will copy/paste the
entire highlighted text, so you'll need to remove some of the extra
text.
- simply type "signature" manually
- use ELSA
On Sun, Aug 31, 2014 at 3:09 PM, controlling chaos
<contro...@inbox.com> wrote:
> OK, tried direct query -> query builder and wound up at the same place. See attached.
>
- select TABLES -> event -> Signature (var string) 255 and then
*middle-click* in the "Where Clause" box. This will copy/paste the
entire highlighted text, so you'll need to remove some of the extra
text.
- simply type "signature" manually
- use ELSA
On Sun, Aug 31, 2014 at 3:09 PM, controlling chaos
<contro...@inbox.com> wrote:
> OK, tried direct query -> query builder and wound up at the same place. See attached.
>
Reply all
Reply to author
Forward
0 new messages