Skip to content
This repository has been archived by the owner on Nov 8, 2023. It is now read-only.

Trying to generate rules, but get "No hits for this filter." #548

Closed
jaygooby opened this issue Feb 18, 2021 · 4 comments
Closed

Trying to generate rules, but get "No hits for this filter." #548

jaygooby opened this issue Feb 18, 2021 · 4 comments

Comments

@jaygooby
Copy link

jaygooby commented Feb 18, 2021
edited
Loading

I imported my error logs, and I can query stats:

GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.018s]
# example.com 52.89% (total:11775/22264)
...
# Top URI(s) :
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.041s]
# /foo 22.1% (total:2602/11775)

but when I try to generate rules using nxtool.py -c nxapi.json -s example.com -f --filter 'uri /foo' --slack I get:

GET http://127.0.0.1:9200/ [status:200 request:0.006s]
# size :1000
GET http://127.0.0.1:9200/nxapi/events/_search [status:200 request:0.024s]
No hits for this filter.

Any idea what I'm doing wrong?
@jaygooby
Copy link
Author

Ah, looks like nxtool.py doesn't like being called with a nxapi.json config file that lives outside the path from where nxtool.py is found. Steps to reproduce:

# This example assumes that naxsi has been git cloned to ~/src/naxsi and elastic search has already been
# populated from an error.log
cd ~/src/naxsi

# this will work and output rules
./nxtool.py -c nxapi.json -s example.com -f --filter 'uri /foo' --slack

# this will fail with "No hits for this filter." even though there is a ~/some/project/folder/nxapi.json
cd ~/some/project/folder
~/src/naxsi/nxtool.py -c ~/some/project/folder/nxapi.json -s example.com -f --filter 'uri /foo' --slack

# this will work, because it's pointing at the ~/src/naxsi/nxapi/nxapi.json config file and not at the one
# in ~/some/project/folder
cd ~/some/project/folder
~/src/naxsi/nxtool.py -c ~/src/naxsi/nxapi/nxapi.json -s example.com -f --filter 'uri /foo' --slack

@wargio
Copy link
Contributor

wargio commented Feb 24, 2021

hello, sorry, i didn't notice your issue: that seems to be indeed a bug.

@jaygooby
Copy link
Author

jaygooby commented Feb 25, 2021
edited
Loading

I did a bit of print debugging - it's because you either need to have the tpl folder copied to the new location, or you need ensure that the nxapi.json has a full path to the tpl folder. Not sure it's a bug after all - just needs to be a bit clearer about the dependence on the tpl folder

@wargio
Copy link
Contributor

wargio commented Feb 25, 2021

well, a check should be in place to be sure all the needed data/folders are in place.

@mremande mremande closed this as completed Nov 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jaygooby @wargio @mremande