search

int13h / squert

A Simple QUEry and Report Tool
http://www.squertproject.org
GNU General Public License v3.0
142 stars 49 forks source link

Feature Request: Chain Filters #27

Open idboehman opened 11 years ago

idboehman commented 11 years ago

As far as I'm aware, you are only able to use one custom filter in the new filter system. I've tried chaining them with ,, and, and &&, but the first filter is always the one which is applied.

int13h commented 11 years ago

For now you can just chain on a distinct filter, for example "sip ip1,ip2,ip3". I plan on adding chaining functionality outside of that constraint, like "sig malware,current_events cc cn,lv,ru" but just haven't got around to it.

Can you give me a feeling of what you want to do? Have you tried creating your own filter to achieve it?

On Wed, Apr 17, 2013 at 2:10 PM, idboehman notifications@github.com wrote:

As far as I'm aware, you are only able to use one custom filter in the new filter system. I've tried chaining them with ,, and, and &&, but the first filter is always the one which is applied.

— Reply to this email directly or view it on GitHubhttps://github.com/int13h/squert/issues/27 .

idboehman commented 11 years ago

What I was trying to do was the following:

We're still fine tuning our suricata/securityonion install here and so I was making custom filters for our noisy rules. For example, not_surst filters out any events with a signature like SURICATA STREAM and not_url filters any signature id's equal to 420042. I was trying to write a query/filter such as not_url and not_surst. It's simple enough to write a query that'll do this for me, but I thought I'd try chaining them first. In fact, those filters above are so single use it's easier to just create one for both.

Related to the above, how do I filter events based on what sensor they come from? Right now I'd like only suricata/snort events to show up, as there's one signature/event which fires on every single url visited (I believe related to bro).

Thanks again for all your work on Squert, it's very appreciated!

int13h commented 11 years ago

I have been thinking about that a bit but haven't put anything to paper yet. For now you could just figure out the sid's for your sensor table via mysql:

SELECT sid,agent_type FROM sensor

Once you have these you could make a filter that looks like (sid IN(1,3,5,7,19) AND ...)

I have a couple things I need to clean up yet but once they are done I will look at making both of the items a little easier

idboehman commented 11 years ago

Gotcha, thanks! I ended up just disabling http_agent as well as autocategorizing them (as suggested in the securityonion walkthrough, should have read that a bit closer), so hopefully that takes care of the noisy URL rule.

The reason I asked about the sensor filter was because I thought it used to be a feature of Squert at one point, maybe on the Query page, which the filters have replaced.