Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kibana Add filter should use LTE not LT on IP fields #51666

Open
spartan782 opened this issue Nov 25, 2019 · 5 comments
Open

Kibana Add filter should use LTE not LT on IP fields #51666

spartan782 opened this issue Nov 25, 2019 · 5 comments
Labels
enhancement New value added to drive a business result Feature:Filters Feature:Search Querying infrastructure in Kibana impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:needs-research This issue requires some research before it can be worked on or estimated Team:DataDiscovery Discover App Team (Document Explorer, Saved Search, Surrounding documents, Graph)
Projects
kibana-app-arch Discover

Comments

@spartan782
Copy link

Kibana version:
7.4
Elasticsearch version:
7.4
Server OS version:
N/A
Browser version:
N/A
Browser OS version:
N/A
Original install method (e.g. download page, yum, from source, etc.):
N/A
Describe the bug:
When using the add filter in Kibana to create a filter for IP address (or any data) using the is between it applies a GTE to the start but a LT to the end. This creates unexpected results especially when doing network blocks because you still see all of the broadcast or don't see them depending on how you applied the filter.

Steps to reproduce:

  1. Have data set with 2 distinct IP ranges in it and that follows ECS or some standard that shows Server (Originating) and Client (Responding). In my data set I have a lot of public IP's and my test environment 172.16.100.x/24
  2. Apply a filter for server.ip is between 172.16.100.0 to 172.16.100.255
  3. Apply a second filter for client.ip is NOT between 172.16.100.0 to 172.16.100.255

Expected behavior:
You only see Server IP's from your range talking to anything other than your servers. In my case I should see all of my test network talking to Public IP's. That is not the case though.

Screenshots (if relevant):
I crafted a query and filter to show the miss-leading results. Here is a screen shot of the 36 hits I get back that would normally get lost or overlooked in the millions of events.

Screen Shot 2019-11-25 at 3 34 26 PM

Errors in browser console (if relevant):

Provide logs and/or server output (if relevant):

Any additional context:
Here is the kibana query for more context. I think the easiest solution for any analyst not just in the security or IP space would be to include on both ends not just the beginning. Removes bad filter results and is easy enough and intuitive enough to understand that it is using an include on the last entry added.

Kibana_query.txt
@nreese nreese added the Team:Visualizations Visualization editors, elastic-charts and infrastructure label Nov 26, 2019
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-app (Team:KibanaApp)

@timroes timroes added the enhancement New value added to drive a business result label Nov 28, 2019
@timroes timroes changed the title Kibana Add filter should use LTE not LT Kibana Add filter should use LTE not LT on IP fields Dec 2, 2019
@timroes
Copy link
Contributor

timroes commented Dec 2, 2019
edited

@Bargs @TinaHeiligers I am a bit on the fence regarding this topic. I would agree that a "between" on IP fields feels more natively including the upper bound. But then it would behave a bit differently than on numeric fields where (and I think it's what it should be) the upper limit is exclusive, and having unaligned behavior might also be confusing in the end? What's your opinion on this?

@Bargs
Copy link
Contributor

Bargs commented Dec 3, 2019

Maybe it would be best to leave the range query as-is for consistency, but add support for CIDR notation in the regular match filter, which we currently have an issue for?

@timroes timroes added Team:AppArch and removed Team:Visualizations Visualization editors, elastic-charts and infrastructure labels Mar 16, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-app-arch (Team:AppArch)

@kibanamachine kibanamachine added this to To triage in kibana-app-arch Mar 16, 2020
@exalate-issue-sync exalate-issue-sync bot added impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:small Small Level of Effort labels Jun 2, 2021
@exalate-issue-sync exalate-issue-sync bot removed the loe:small Small Level of Effort label May 12, 2022
@petrklapka petrklapka added Feature:Search Querying infrastructure in Kibana Team:DataDiscovery Discover App Team (Document Explorer, Saved Search, Surrounding documents, Graph) and removed Team:AppServicesSv labels Nov 23, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-data-discovery (Team:DataDiscovery)

@kibanamachine kibanamachine added this to Inbox in Discover Nov 23, 2022
@davismcphee davismcphee added the loe:needs-research This issue requires some research before it can be worked on or estimated label Sep 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Filters Feature:Search Querying infrastructure in Kibana impact:low Addressing this issue will have a low level of impact on the quality/strength of our product. loe:needs-research This issue requires some research before it can be worked on or estimated Team:DataDiscovery Discover App Team (Document Explorer, Saved Search, Surrounding documents, Graph)
Projects
kibana-app-arch
  
To triage
Discover
Inbox
Milestone
No milestone
Development

No branches or pull requests
7 participants
@nreese @timroes @Bargs @spartan782 @elasticmachine @davismcphee @petrklapka