BUG - Functionality - Clicking on Signature graph brings up blank search #287
Assignees
Comments
|
It should be noted that the Sources and Destinations lookups work fine: |
ghost
assigned 
|
Fixed in v2.6.2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Snorby 2.6.1, recently installed.
From the Dashboard, Go to Signatures Tab, pretty pie chart appears. Click on a slice and it acts like it should bring up a query, but the query finds zero events (https://ServerIP/results?title=ET%20EXPLOIT%20MS-SQL%20SQL%20Injection%20closing%20string%20plus%20line%20comment&match_all=true&search%5B0%5D%5Bcolumn%5D=signature_name&search%5B0%5D%5Benabled%5D=true&search%5B0%5D%5Boperator%5D=is&search%5B0%5D%5Bvalue%5D=ET%20EXPLOIT%20MS-SQL%20SQL%20Injection%20closing%20string%20plus%20line%20comment&search%5B1%5D%5Bcolumn%5D=start_time&search%5B1%5D%5Benabled%5D=true&search%5B1%5D%5Boperator%5D=gte&search%5B1%5D%5Bvalue%5D=2013-05-20%2019:11:44&search%5B2%5D%5Bcolumn%5D=end_time&search%5B2%5D%5Benabled%5D=true&search%5B2%5D%5Boperator%5D=lte&search%5B2%5D%5Bvalue%5D=2013-05-21%2019:11:44).
Run the same query from Search using the same Signature results in a preoper search with all the items (the URL however is https://ServerIP/results so that doesn't help).
from the Log doing it from the dashboard:
Started GET "/results?title=ET%20EXPLOIT%20MS-SQL%20SQL%20Injection%20closing%20string%20plus%20line%20comment&match_all=true&search%5B0%5D%5Bcolumn%5D=signature_name&search%5B0%5D%5Benabled%5D=true&search%5B0%5D%5Boperator%5D=is&search%5B0%5D%5Bvalue%5D=ET%20EXPLOIT%20MS-SQL%20SQL%20Injection%20closing%20string%20plus%20line%20comment&search%5B1%5D%5Bcolumn%5D=start_time&search%5B1%5D%5Benabled%5D=true&search%5B1%5D%5Boperator%5D=gte&search%5B1%5D%5Bvalue%5D=2013-05-20%2019:15:31&search%5B2%5D%5Bcolumn%5D=end_time&search%5B2%5D%5Benabled%5D=true&search%5B2%5D%5Boperator%5D=lte&search%5B2%5D%5Bvalue%5D=2013-05-21%2019:15:31" for 10.10.105.197 at 2013-05-21 19:16:16 +0000
Processing by PageController#results as HTML
Parameters: {"title"=>"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment", "match_all"=>"true", "search"=>{"0"=>{"column"=>"signature_name", "enabled"=>"true", "operator"=>"is", "value"=>"ET EXPLOIT MS-SQL SQL Injection closing string plus line comment"}, "1"=>{"column"=>"start_time", "enabled"=>"true", "operator"=>"gte", "value"=>"2013-05-20 19:15:31"}, "2"=>{"column"=>"end_time", "enabled"=>"true", "operator"=>"lte", "value"=>"2013-05-21 19:15:31"}}}
Rendered events/_menu.html.erb (3.6ms)
Rendered events/_menu.html.erb (0.9ms)
Rendered collection (0.0ms)
Rendered page/_events.html.erb (7.1ms)
Rendered events/_hotkeys.html.erb (0.2ms)
Rendered page/results.html.erb within layouts/application (15.5ms)
Rendered layouts/_version.html.erb (0.0ms)
Rendered layouts/_header.html.erb (19.8ms)
Rendered layouts/_content.html.erb (0.1ms)
Rendered layouts/_footer.html.erb (0.1ms)
Rendered layouts/_notify.html.erb (0.1ms)
Completed 200 OK in 54ms (Views: 42.7ms | Models: 3.640ms)
from the Log doing it from the Search:
Started POST "/results" for 10.10.105.197 at 2013-05-21 19:17:30 +0000
Processing by PageController#results as HTML
Parameters: {"match_all"=>"true", "search"=>"{"0":{"column":"signature","operator":"is","value":"491","enabled":true}}", "authenticity_token"=>"QegqnZFRlsgIhi9VbdpJCJLsqxkDvilVYguv+A/2Nuk="}
Rendered events/_menu.html.erb (4.1ms)
Rendered events/_menu.html.erb (0.8ms)
Rendered events/_event.html.erb (1443.3ms)
Rendered page/_events.html.erb (1447.9ms)
Rendered events/_hotkeys.html.erb (0.2ms)
Rendered page/results.html.erb within layouts/application (1456.7ms)
Rendered layouts/_version.html.erb (0.0ms)
Rendered layouts/_header.html.erb (22.1ms)
Rendered layouts/_content.html.erb (0.1ms)
Rendered layouts/_footer.html.erb (0.1ms)
Rendered layouts/_notify.html.erb (0.0ms)
Completed 200 OK in 1513ms (Views: 1385.7ms | Models: 104.285ms)
The text was updated successfully, but these errors were encountered: