Wildcard search help in ELSA

[J.Orrin]

Hi All,

I apologize in advance if this has already been answered but I was unable to find the syntax on how to do it. I am trying to perform a simple query that returns all of the subdomains that are associated with a specific domain and have been seen in our enterprise. I have tried performing a wildcard search but have been unsuccessful.

Below is an example of a sanitized query
Example:
BRO_HTTP.site=google.com
Result is as expected returns traffic to the domain google.com only

BRO_HTTP.site=*.google.com
Returns 0 results, i was hoping to get for example traffic to google.com, drive.google.com, images.google.com etc.

What is the syntax which would return all results for a domain containing multiple subdomains?

Any help is greatly appreciated.

Thanks....

[Scott Runnels]

Hi J Orrin,  

Would you be looking for something like this?

program:bro_http | grep(site,google)

v/r

Scott

Scott Runnels

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/groups/opt_out.

[J.Orrin]

Hi Scott

Thank you for the response. That matches on what I am looking for.

Thank you again
J

I tried your syntax but it did not yield the

[Martin Holste]

That syntax will only wildcard match the first 100 results of the search before the pipe.  You can use the archive to do a true wildcard search by adding "archive:1" to your query.  All terms will be implicitly wildcarded.