SELKS. Search community_id in EveBox.

[suri cata]

Hello everyone.

I usually use queries in EveBox type:

alert.severity:1

app_proto: "http"

etc,

But when I want to search by community_id, nothing ever comes out. It doesn't matter if I put it with quotes, without quotes, separated... it never comes out.

 Greetings,

[Peter Manev]

Hi, 

Just checking 

Does it work correctly with “flow_id” ?

Thank you 

-- 

Regards,

Peter Manev 

On 13 Jun 2023, at 08:21, suri cata <suri.w...@gmail.com> wrote:



--
Discord: Let's talk about SELKS on
https://discord.com/channels/911231224448712714/911238451842666546
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/blog
Twitter: @StamusN
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/selks/689fc66b-e498-4797-a1d0-4039c4bf5610n%40googlegroups.com.

[suri cata]

Hi,

From the search field flow_id does work. But it is not entirely correct because only the dns item appears.

If we do it from:

evebox/#/events?q=flow_id:"1571324836364187"

 So all the items do appear, Flow, alert and dns.

Thank you

[Jason Ish]

If you are able to, try to update your EveBox.  I just checked, and this does appear to be broken with a fresh install of SELKS which uses EveBox 0.16..  If you `docker pull jasonish/evebox:master` you will get a newer version which has fixed some Elasticsearch queries, and also presents the community ID as a clickable link.

Jason

[suri cata]

Hi, Jason

Thanks for answering.

 Is it only necessary to update evebox?

apt update:

evebox/unknown 1:0.17.2 amd64 [upgradable from: 1:0.15.0]

Thanks,

[Peter Manev]

Hi ,

Just for info: if you need to update the docker containers (or a
specific container) on any installation - aka ISO or just regular
docker install on a Linux OS you can follow the docs here -
https://github.com/StamusNetworks/SELKS/wiki/Docker#updating-containers

Thank you

> --
> Discord: Let's talk about SELKS on
> https://discord.com/channels/911231224448712714/911238451842666546
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/blog
> Twitter: @StamusN
> ---
> You received this message because you are subscribed to the Google Groups "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/2531cc2b-360f-4fc8-b55a-9bbd5e3f933fn%40googlegroups.com.



--
Regards,
Peter Manev

[suri cata]

Thank you Peter. I understand that when you update the containers, the configuration and data are kept, right?

[suri cata]

Hí,

I'm trying to do what the guide says:

Upgrade all containers

If you are already running SELKS on docker, you can upgrade the containers to a fixed version. To do so, simply run from the docker directory:

git pull

docker compose pull

docker compose stop

sudo -E docker compose up -d

root @ SELKS:/opt/selksd/SELKS/docker# docker compose pull
docker: 'compose' is not a docker command.
See 'docker --help'

[Peter Manev]

Hi,
Depending on what type of OS you have you also might need to try
"docker-compose" as opposed to "docker compose".

Due to an older version for example.

Thank you

> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/f917d305-2e71-49aa-9d59-51db0d4e3c5dn%40googlegroups.com.



--
Regards,
Peter Manev

[suri cata]

Hí, Perter.

All right. Just one thing; In Evebox, on the top left, there is a red button: "Reload Requires" which, at the moment, there is no way it will disappear no matter what you do.

[Peter Manev]

Hi,

Can you share a screenshot please?

Thank you

> To view this discussion on the web visit https://groups.google.com/d/msgid/selks/ea2b05f2-6655-4731-9322-7efbdf989e63n%40googlegroups.com.



--
Regards,
Peter Manev

[Jason Ish]

Sorry about that, it sometimes, but not often happens on the master branch/tag.  I'll fix it sometime today.

[suri cata]

Hí, Peter

;-)

[suri cata]

Hí, Jason

I await the update. I like the updated version of evebox a lot.

[Jason Ish]

Hello, the EveBox image was updated late Friday.  Following the update steps should get you the latest version.  The "Help -> About" should show version `0.18.0-dev`.

[suri cata]

Hí Jason and Peter,

Thanks for your help. Everything updated and working correctly.

;-)

[suri cata]

Hí again.

I'm checking that before I could filter the alerts using "!". Now I am not working.

For example; If I want to filter only the alerts with RRSS description, in the search field this worked. If now I put "!RRSS", before it worked and now it doesn't.

Greetings,

El lunes, 19 de junio de 2023 a las 22:11:19 UTC+2, Jason Ish escribió:

[Jason Ish]

The latest versions have been making an effort to abstract the query language to something common between SQL and Elasticsearch and this broke a few things.  For your simple negation above you can do: "NOT RRSS"

Include the quotes.  That will be passed directly to to Elasticsearch.  Unfortunately negating on a phrase doesn't seem to be working. I'm creating an issue for this.

[suri cata]

Ok. Thanks