For anyone using ELSA and needs to search multiple subnets read this.

[chris izatt]

Here are some example queries of how to can search subnets in ELSA. As far as I have tested this works with any of the classes and or group by in elsa. Have fun Let me know if you have any questions and or comments.

Chris

class=SNORT "-" groupby:sig_msg ("10.2.x.x" or "10.27.*.*" or "10.28.*.*" or "10.30.*.*" or "10.31.6.*" or "10.4.*.*")

class=BRO_DNS dstport="53" groupby:query_class ("10.2.x.x" or "10.27.*.*" or "10.28.*.*" or "10.30.*.*" or "10.31.6.*" or "10.4.*.*")