Multiple IP Ranges in ELSA Query
794 views
Skip to first unread message
Leon Dinh
Jul 20, 2015, 12:04:56 PM7/20/15
to securit...@googlegroups.com
Hello,
I asked about this before:
https://groups.google.com/forum/#!searchin/security-onion/multiple$20ip$20ranges/security-onion/qD48Ns3R4so/kEGZEApZ5pwJ
But after an update querying ELSA for multiple IP ranges is not working again.
Example of syntax that used to work:
class=SNORT srcip>=1.1.1.0 srcip<=1.1.1.255 srcip>=2.2.2.0 srcip<=2.2.2.255
I'd love some advice on this.
Thanks,
L.D.
I asked about this before:
https://groups.google.com/forum/#!searchin/security-onion/multiple$20ip$20ranges/security-onion/qD48Ns3R4so/kEGZEApZ5pwJ
But after an update querying ELSA for multiple IP ranges is not working again.
Example of syntax that used to work:
class=SNORT srcip>=1.1.1.0 srcip<=1.1.1.255 srcip>=2.2.2.0 srcip<=2.2.2.255
I'd love some advice on this.
Thanks,
L.D.
Doug Burks
Jul 27, 2015, 12:30:49 PM7/27/15
to securit...@googlegroups.com
Hi Leon,
I just tested your syntax and it worked fine for me.
In your previous thread that you linked to, I asked some questions but
never received the answers, so let's start with those:
Are you sure you've installed all Security Onion updates and are
running our latest ELSA packages?
Have you tried doing a fresh test installation of Security Onion
(perhaps just in a VM) to see if you get the error message there?
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
I just tested your syntax and it worked fine for me.
In your previous thread that you linked to, I asked some questions but
never received the answers, so let's start with those:
Are you sure you've installed all Security Onion updates and are
running our latest ELSA packages?
Have you tried doing a fresh test installation of Security Onion
(perhaps just in a VM) to see if you get the error message there?
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Gary Faulkner
Aug 9, 2015, 11:14:36 PM8/9/15
to securit...@googlegroups.com
Doug,
I'll chime in here since I work with Leon and recently took over admin
of the SO boxes from a previous admin. Leon is having trouble with this
both on an older SO (official distro) stand-alone that was recently
updated, as well as a brand new SO - ELSA setup running on Ubuntu Server
with 1 Master and 2 Sensors primarily running ELSA (meaning Suricata,
Bro etc are disabled). The only real customization and the main reason
for using Ubuntu Server on the new boxes is to take advantage of LVM.
The new boxes are setup less than two weeks ago, and are up to date as
of this past Friday.
For some background this issue came up when trying to migrate some in
house scripts that queried ELSA from the older CLI API to the new web
API. The CLI API in previous versions of ELSA allowed you to string
together multiple IP ranges and we took advantage of that to produce
reports for various admins. The web API was completely rewritten in ELSA
which broke the CLI API, which just pointed to an older version of the
web API, but was not updated to be compatible with the new web API.
Regards,
Gary
I'll chime in here since I work with Leon and recently took over admin
of the SO boxes from a previous admin. Leon is having trouble with this
both on an older SO (official distro) stand-alone that was recently
updated, as well as a brand new SO - ELSA setup running on Ubuntu Server
with 1 Master and 2 Sensors primarily running ELSA (meaning Suricata,
Bro etc are disabled). The only real customization and the main reason
for using Ubuntu Server on the new boxes is to take advantage of LVM.
The new boxes are setup less than two weeks ago, and are up to date as
of this past Friday.
For some background this issue came up when trying to migrate some in
house scripts that queried ELSA from the older CLI API to the new web
API. The CLI API in previous versions of ELSA allowed you to string
together multiple IP ranges and we took advantage of that to produce
reports for various admins. The web API was completely rewritten in ELSA
which broke the CLI API, which just pointed to an older version of the
web API, but was not updated to be compatible with the new web API.
Regards,
Gary
Doug Burks
Aug 10, 2015, 5:24:05 AM8/10/15
to securit...@googlegroups.com
On Sun, Aug 9, 2015 at 11:14 PM, Gary Faulkner <gfaulk...@gmail.com> wrote:
> For some background this issue came up when trying to migrate some in
> house scripts that queried ELSA from the older CLI API to the new web
> API. The CLI API in previous versions of ELSA allowed you to string
> together multiple IP ranges and we took advantage of that to produce
> reports for various admins. The web API was completely rewritten in ELSA
> which broke the CLI API, which just pointed to an older version of the
> web API, but was not updated to be compatible with the new web API.
Have you tried the new /opt/elsa/contrib/securityonion/contrib/cli.sh?
> For some background this issue came up when trying to migrate some in
> house scripts that queried ELSA from the older CLI API to the new web
> API. The CLI API in previous versions of ELSA allowed you to string
> together multiple IP ranges and we took advantage of that to produce
> reports for various admins. The web API was completely rewritten in ELSA
> which broke the CLI API, which just pointed to an older version of the
> web API, but was not updated to be compatible with the new web API.
Gary Faulkner
Aug 10, 2015, 11:34:36 AM8/10/15
to securit...@googlegroups.com
At the moment the query doesn't appear to work even from the web
interface, so I'm not sure the CLI wrapper would help us until we can
get a working query. Leon's query did work in the web interface in older
versions of ELSA as well as in scriptland. It seems to not function in
the latest version of ELSA.
interface, so I'm not sure the CLI wrapper would help us until we can
get a working query. Leon's query did work in the web interface in older
versions of ELSA as well as in scriptland. It seems to not function in
the latest version of ELSA.
Doug Burks
Aug 10, 2015, 12:38:17 PM8/10/15
to securit...@googlegroups.com
My test on July 27 should have been using the latest version of ELSA
and I reported that it worked for me.
Have you tried doing a fresh test installation of Security Onion
(perhaps just in a VM) to see whether or not it works there?
and I reported that it worked for me.
Have you tried doing a fresh test installation of Security Onion
> --
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups
> "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Gary Faulkner
Aug 11, 2015, 5:59:33 PM8/11/15
to securit...@googlegroups.com, enterprise-log-s...@googlegroups.com
I spun up a new VM using the latest SO ISO, ran setup, ran soup,
restarted and tried the following query:
class=SNORT ((srcip>=10.1.1.0 srcip<=10.1.1.255) OR (srcip>=10.2.2.0
srcip<=10.2.2.255))
The goal of the query is to return SNORT alerts for multiple subnets
with a single query. This worked in a version of ELSA prior to the new
Web API, but does not seem to work in the most recent ELSA with the new
Web API.
The result was:
Impossible query, conflicting terms: srcip:>=:10.2.2.0, srcip:>=:10.1.1.0
If you try to put explicit ANDs into the query the parser does complain
that you need to use parenthesis with arguments that contain both ANDs
and ORs, but it almost seems as if the query parser is ignoring the
parenthesis and just implicitly ANDing the every argument in the query
regardless.
restarted and tried the following query:
class=SNORT ((srcip>=10.1.1.0 srcip<=10.1.1.255) OR (srcip>=10.2.2.0
srcip<=10.2.2.255))
The goal of the query is to return SNORT alerts for multiple subnets
with a single query. This worked in a version of ELSA prior to the new
Web API, but does not seem to work in the most recent ELSA with the new
Web API.
The result was:
Impossible query, conflicting terms: srcip:>=:10.2.2.0, srcip:>=:10.1.1.0
If you try to put explicit ANDs into the query the parser does complain
that you need to use parenthesis with arguments that contain both ANDs
and ORs, but it almost seems as if the query parser is ignoring the
parenthesis and just implicitly ANDing the every argument in the query
regardless.
Joshua Hersh
Apr 19, 2017, 5:20:09 AM4/19/17
to security-onion, enterprise-log-s...@googlegroups.com
On Tuesday, August 11, 2015 at 4:59:33 PM UTC-5, Gary wrote:
> I spun up a new VM using the latest SO ISO, ran setup, ran soup,
> restarted and tried the following query:
>
> class=SNORT ((srcip>=10.1.1.0 srcip<=10.1.1.255) OR (srcip>=10.2.2.0
> srcip<=10.2.2.255))
>
> The goal of the query is to return SNORT alerts for multiple subnets
> with a single query. This worked in a version of ELSA prior to the new
> Web API, but does not seem to work in the most recent ELSA with the new
> Web API.
>
> The result was:
>
> Impossible query, conflicting terms: srcip:>=:10.2.2.0, srcip:>=:10.1.1.0
>
I received the same results as Gary. Attempted today with ELSA 2.1.9 rev 1205 <-- AFAIK, this is the most updated version available in the ppa.
> I spun up a new VM using the latest SO ISO, ran setup, ran soup,
> restarted and tried the following query:
>
> class=SNORT ((srcip>=10.1.1.0 srcip<=10.1.1.255) OR (srcip>=10.2.2.0
> srcip<=10.2.2.255))
>
> The goal of the query is to return SNORT alerts for multiple subnets
> with a single query. This worked in a version of ELSA prior to the new
> Web API, but does not seem to work in the most recent ELSA with the new
> Web API.
>
> The result was:
>
> Impossible query, conflicting terms: srcip:>=:10.2.2.0, srcip:>=:10.1.1.0
>
Is there a better way of querying for a subnet rather than srcip>=10.0.0.0 srcip<=10.0.0.255, or a range of IPs (10.0.0.100-10.0.0.105) which you could filter out?
Wes Lambert
Apr 19, 2017, 9:51:20 AM4/19/17
to securit...@googlegroups.com
Joshua,
You may want to see:
Thanks,
Wes
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
Josh
Apr 19, 2017, 10:39:58 AM4/19/17
to security-onion
On Wednesday, April 19, 2017 at 8:51:20 AM UTC-5, Wes wrote:
> Joshua,
>
>
> You may want to see:
>
>
> https://groups.google.com/d/msg/security-onion/rlb-dKglOG4/dLwWrVFLBe4J
>
> https://github.com/mcholste/elsa/wiki/Documentation#queries
>
>
>
> Thanks,
> Wes
> Joshua,
>
>
> You may want to see:
>
>
> https://groups.google.com/d/msg/security-onion/rlb-dKglOG4/dLwWrVFLBe4J
>
> https://github.com/mcholste/elsa/wiki/Documentation#queries
>
>
>
> Thanks,
> Wes
Hello Wes and thanks for the reply. If you're referring to the explicit OR, both Gary and I have tried that. I have read through the ELSA query documentation but wasn't able to come up with a solution. I am still working through trial and error. The original question still remains. How to search multiple subnets? Additionally, how to search for a range of IPs.
Wes
Apr 19, 2017, 4:28:42 PM4/19/17
to security-onion
One way to search multiple subnets is like this:
https://groups.google.com/d/msg/security-onion/cMfrxn6G_QA/UYa_yjGMCwAJ
For IP range, try something like:
Ex. class=BRO_CONN (srcip>=10.0.0.100 AND srcip<=10.0.0.105)
Thanks,
Wes
Joshua Hersh
Apr 20, 2017, 12:06:06 PM4/20/17
to securit...@googlegroups.com
Wes,
In reference to "multiple subnets", I can get the search to complete using multiple single IP addresses, however, every time I put in a wildcard, whether it is * (i.e. 10.0.0.*) or x (i.e. 10.0.0.x), the search finds nothing (no error). When I do the query without specifying srcip=, I get plenty or results from source IP addresses in that range so clearly there is data for it to find.
Is there more thorough documentation than this (https://github.com/mcholste/elsa/wiki/Documentation#queries) available somewhere? Thanks for the assistance.
Josh
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/aEU7ITpukFw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
Wes
Apr 20, 2017, 9:34:09 PM4/20/17
to security-onion
>
> To post to this group, send email to securit...@googlegroups.com.
>
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
Josh,
> Visit this group at https://groups.google.com/group/security-onion.
>
> For more options, visit https://groups.google.com/d/optout.
Try it like this:
("10.10.10.*")
OR
("10.10.*.*" OR "10.10.10.*")
More query tips can be found here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/ELSAQueryTips
Thanks,
Wes
Joshua Hersh
Apr 21, 2017, 4:12:46 PM4/21/17
to securit...@googlegroups.com
Wes,
It seems that the wildcard will work as long as I don't use it in a srcip= statement i.e. srcip=("10.10.10.*"). If I just add it to the query as a standalone item, as you have it listed above, it works. I need to limit the orginal query to source IP of two subnets. Looks like this may be a lost cause. I'll see if I can figure something out. I appreciate your responses though.
Josh
To unsubscribe from this group and all its topics, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages