ELSAQueryTips
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/ELSAQueryTips.
The following are posts from Martin Holste, the author of ELSA, extracted from the Security Onion and Security Onion Testing mailing lists, that provide insight and working examples of the power of ELSA's query capabilities.
Also see the ELSA documentation:
https://github.com/mcholste/elsa/wiki/Documentation
In any case, be sure to check out the documentation for [subsearches] (https://github.com/mcholste/_elsa/wiki/Documentation#Subsearches) as that's where you get the really powerful queries from.
The queries from today were like this (note that you can always replace groupby with using the Report On menu button):
Show NIDS alerts containing current events or trojan:
sig_msg:current_events or sig_msg:trojan groupby:sig_msg
Choose ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi) from the signature list, which executes:
sig_msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)"
Get a sense for the distribution of the alert over different IP's by pivoting on dstip (or look at the field summary at the top and notice that there is just one unique entry for srcip)
sig_msg:"ET POLICY Proxy Judge Discovery/Evasion (prxjdg.cgi)" groupby:dstip
Notice that there's just one entry for srcip and drill down on it
10.0.1.1 class:snort groupby:sig_msg
Find some other alerts but nothing concrete, mine for data in URL's (via Bro)
10.0.1.1 class:bro_http groupby:site
see the Polish site and drill-down
site:www.aksarat.pl
Click Info and choose the getPcap plugin to see the content of the request
As a follow-up, look at the URI structure and see if other sites are being used for this checkin
uri:check.rsp groupby:site
Get a feel for how often the check-in occurs
uri:check.rsp groupby:hour
Change granularity to per-minute
uri:check.rsp groupby:minute limit:1000
Be alerted in the future by clicking Results... and choosing Create alert so anytime uri:check.rsp shows up you get an email.
Once you start looking at connections in ELSA with geoip, you can also use the whois plugin in the same way to see a description of the destination network. So, from Brad's dashboard, you could run this query in the ELSA query box:
icmp or udp or tcp class=BRO_CONN groupby:BRO_CONN.dstip | whois
Then, you can do some post-search filters to remove any well-known hosts like this:
icmp or udp or tcp class=BRO_CONN groupby:BRO_CONN.dstip | whois | filter(descr,google)
Or maybe you want to see TCP traffic not to port 80/443:
tcp class=BRO_CONN groupby:BRO_CONN.dstip -dstport:80 -dstport:443 | whois
Or, find only things destined for a high port with a certain byte count:
+tcp class=BRO_CONN groupby:BRO_CONN.dstip +dstport>=1000 +bytes_in>1000000 | whois
You can use the command-line version of ELSA by navigating to /opt/elsa/contrib/securityonion/contrib and using the cli.sh script:
sh cli.sh "example.com"
The output is in JSON, so you might want to install jq and pipe the results into it:
sh cli.sh "example.com" | jq '.'
4/16/2013 - ELSA What is the best way to query for a list of all internal RFC1918 hosts sending / receiving traffic outside the US?
Great question!
If you're using a firewall to create the flow records:
host:<my firewall> class:firewall_connection_end srcip>=10.0.0.0 srcip<=10.255.255.255 srcip>=192.168.0.0 srcip<=192.168.255.255 srcip>=172.16.0.0 srcip<=172.16.255.255 groupby:dstip | geoip | filter(cc,us)
You will probably want to run a prior search for just
srcip>=10.0.0.0 srcip<=10.255.255.255 srcip>=192.168.0.0 srcip<=192.168.255.255 srcip>=172.16.0.0 srcip<=172.16.255.255
Then save that as a saved search and give it the name rfc1918. Then, you can reduce the above query to this:
host:<my firewall> class:firewall_connection_end $rfc1918 groupby:dstip | geoip | filter(cc,us)
If you leave off the host:<my firewall> term, then it will still work but only search temp indexes.
For data extrusion, one of my favorites is to do something similar, but with HTTP POST's:
+method:post $rfc1918 groupby:dstip | geoip | filter(cc,us)
Or Java user agents:
+user_agent:java $rfc1918 groupby:dstip | geoip | filter(cc,us)
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs