search

TheHive-Project / TheHive

TheHive: a Scalable, Open Source and Free Security Incident Response Platform
https://thehive-project.org
GNU Affero General Public License v3.0
3.28k stars 609 forks source link

[Bug] Search function doesn't work #2299

Open Recovzz opened 2 years ago

Recovzz commented 2 years ago

Request Type

Bug

Work Environment

Question | Answer -- | -- OS version (server) | CentOS 7 Virtualized Env. | True Dedicated RAM | 8 GB TheHive version | 4.1.14 Package Type | RPM Database | Cassandra Index type | Elasticsearch Attachments storage | HDFS

Problem Description

I would like to use the search function to filter my cases by categories such as by description. When I try to use the search function by filtering by description or something else. No result is returned

The case exists when I search by case_id it works.

Do you have any idea ?

image

In addition, there is a performance problem. I have a test environment that I updated to the hive 4.1 and another environment that is in 3.5. When I use the search function, on the hive 3.5 it returns the result in a few milliseconds while on the 4.1 version it takes almost 10 seconds to return the result. There is exactly the same database on both environments.

b3belov commented 2 years ago

When you use search, it searches for exact match of search phrase and a text.

If you want to search partly match use wildcards. For example, if you want to search 1.1.1.1 in alert or case description, use *1.1.1.1*.

jkb-s commented 2 years ago

Trailing wildcard is working. Are you sure leading wildcard works as well? @b3belov

dream91 commented 2 years ago

I noticed a problem with wildcard after upgrade from 4.1.0 to 4.1.14.

When I am searching case Critical Vulnerability Detected with *Critical* it doesn't return anything. It returns results when I search Critical* or … *critical*.

I have Cases with "title":"Critical Vulnerability Detected"

This doesn't return any Case

POST /api/v0/query
{
    "query": [
        {
            "_name": "listCase"
        },
        {
            "_wildcard": {
                "_field": "title",
                "_value": "*Critical*"
            },
            "_name": "filter"
        }
    ]
}

This return some Cases

POST /api/v0/query
{
    "query": [
        {
            "_name": "listCase"
        },
        {
            "_wildcard": {
                "_field": "title",
                "_value": "Critical*"
            },
            "_name": "filter"
        }
    ]
}

Next problem I noticed is that I cant search with multiple words.

There was a test on the newest version 4.1.17-1 and he reproduced the same problem. https://github.com/n8n-io/n8n/issues/2699#issuecomment-1026732321