Things I've checked out so far to make it possible:
The operators "contains / contains_not" would maybe fit, so we could search at least for something like 192.168.2 for the 192.168.2.0/24 subnet
So I changed in lib/snorby/search.rb the operator group for "Source Address" to "more_text_input" in line 544
-> The contains operator is now selectable in the searchmask but it still throws errors.
Looking at lib/snorby/lib/snorby/model/types/numeric_ip_addr.rb IP Addresses are converted to int like this: 192.168.2.45 -> 192 2^24 + 168 2^16 .. and so on, resulting in 3232236077 as the equivalent to 192.168.2.45, thats how it is stored in the DB. (iphdr table)
So if I now enter 192.168.2 in the search mask it translates to 3232235522 what reverse translates to 192.168.2.0. With the "contains" operator selected, the DB is queried for datasets that contain 192.168.2.0 and not the whole subnet, or a wildcard.
Any idea on how to search for the full subnet? Without iterating and calculating over all datasets and checking if its in the subnet range...
Things I've checked out so far to make it possible: The operators "contains / contains_not" would maybe fit, so we could search at least for something like 192.168.2 for the 192.168.2.0/24 subnet So I changed in lib/snorby/search.rb the operator group for "Source Address" to "more_text_input" in line 544 -> The contains operator is now selectable in the searchmask but it still throws errors.
Looking at lib/snorby/lib/snorby/model/types/numeric_ip_addr.rb IP Addresses are converted to int like this: 192.168.2.45 -> 192 2^24 + 168 2^16 .. and so on, resulting in 3232236077 as the equivalent to 192.168.2.45, thats how it is stored in the DB. (iphdr table)
So if I now enter 192.168.2 in the search mask it translates to 3232235522 what reverse translates to 192.168.2.0. With the "contains" operator selected, the DB is queried for datasets that contain 192.168.2.0 and not the whole subnet, or a wildcard.
Any idea on how to search for the full subnet? Without iterating and calculating over all datasets and checking if its in the subnet range...