search

radiumfu / enterprise-log-search-and-archive

Automatically exported from code.google.com/p/enterprise-log-search-and-archive
0 stars 0 forks source link

MyOrg Saved search multiple subnets #196

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. search for something using  +$dst_myorg such as www.google.com 
class=BRO_HTTP +$dst_myorg as suggested on 
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation#S
aved_Searches_%28Macros%29

What is the expected output? 
results from ips in the known_subnets stanza in /etc/elsa_web.conf
What do you see instead?
error on client browser Impossible query, conflicting terms: 
dstip:>=:172.16.0.0, dstip:>=:192.168.0.0, dstip:>=:10.0.0.0

What version of the product are you using? On what operating system?
r1171 RHEL 6.5

Please provide any additional information below.

Stanza from /etc/elsa_web.conf:
      "whois" : {
         "known_orgs" : {
            "MyOrg" : {
               "cc" : "US",
               "city" : "Anytown",
               "country" : "United States",
               "descr" : "MyOrg",
               "name" : "MyOrg",
               "org" : "MyOrg",
               "state" : "Somestate"
            }
         },
         "known_subnets" : {
            "10.0.0.0" : {
               "end" : "10.255.255.255",
               "org" : "MyOrg"
            },
            "172.16.0.0" : {
               "end" : "172.31.255.255",
               "org" : "MyOrg"
            },
            "192.168.0.0" : {
               "end" : "192.168.255.255",
               "org" : "MyOrg"
            }
         }
      }

Log from /data/elsa/web.log:
* TRACE [2014/02/18 16:25:30] /usr/local/elsa/web/lib/QueryParser.pm (410) 
QueryParser::_parse_query 30521 [undef]
terms: $VAR1 = {
          'and' => {
                     'dstip:<=:10.255.255.255' => {
                                                    'value' => '10.255.255.255',
                                                    'field' => 'dstip',
                                                    'op' => '<='
                                                  },
                     'dstip:<=:172.31.255.255' => {
                                                    'value' => '172.31.255.255',
                                                    'field' => 'dstip',
                                                    'op' => '<='
                                                  },
                     'class::BRO_HTTP' => {
                                            'value' => 'BRO_HTTP',
                                            'field' => 'class',
                                            'op' => '='
                                          },
                     'dstip:>=:172.16.0.0' => {
                                                'value' => '172.16.0.0',
                                                'field' => 'dstip',
                                                'op' => '>='
                                              },
                     'dstip:>=:192.168.0.0' => {
                                                 'value' => '192.168.0.0',
                                                 'field' => 'dstip',
                                                 'op' => '>='
                                               },
                     'dstip:>=:10.0.0.0' => {
                                              'value' => '10.0.0.0',
                                              'field' => 'dstip',
                                              'op' => '>='
                                            },
                     ':www.google.com' => {
                                            'value' => 'www.google.com',
                                            'field' => '',
                                            'op' => ':'
                                          },
                     'dstip:<=:192.168.255.255' => {
                                                     'value' => '192.168.255.255',
                                                     'field' => 'dstip',
                                                     'op' => '<='
                                                   }
                   }
        };

Original issue reported on code.google.com by usr.s...@gmail.com on 18 Feb 2014 at 9:32

GoogleCodeExporter commented 8 years ago 
Terms are AND by default. Can you put the word OR between these results and see 
if that works for you?

Original comment by mchol...@gmail.com on 19 Feb 2014 at 5:38

GoogleCodeExporter commented 8 years ago 
Where would I put OR in elsa_web.conf

Original comment by usr.s...@gmail.com on 6 Mar 2014 at 12:41