You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Via Kibana dashboards (for example : SN-FILE-Transactions), when you try to filter content depending on an IP field, it works without issue with a specific IP (like "dest_ip: 8.8.8.8" or "not dest_ip: 8.8.8.8"), BUT it does not work with CIDR filtering (example "dest_ip: 192.168.0.0/16" or "not dest_ip: 192.168.0.0/16")
Which, seems really strange since by default, on all other elasticsearch index mappings, a field IP can always be filtered with CIDR (eg. elasticsearch documentation https://www.elastic.co/guide/en/elasticsearch/reference/7.17/ip.html)
On the SELKS docker implementation at least, if we try to filter with "dest_ip: 192.168.0.0/16" we get shard exeption errors as follow :
query_shard_exception at shard 0index logstash-fileinfo-2024.07.30node zG64wDeYSXqMvXshrIkLiA
Type
query_shard_exception
Reason
Failed to parse query [dest_ip: 192.168.0.0/16]
Index uuid
S1qgMZ3GTP63zrkDFacSqA
Index
logstash-fileinfo-2024.07.30
Caused by type
parse_exception
Caused by reason
Cannot parse 'dest_ip: 192.168.0.0/16': Lexical error at line 1, column 24. Encountered: after : "/16"
Caused by caused by type
token_mgr_error
Caused by caused by reason
Lexical error at line 1, column 24. Encountered: after : "/16"
This type of error induce a potencial error on index mapping creation, or index template usage, or index mapping ... inside the elasticsearch database settings.
Expected Behavior
being able to filter IP fields using CIDR filters.
Steps To Reproduce
Install SELKS docker implementation
ingest data from network (generate network data to feed suricata)
search data on elasticsearch trying to filter IP fields with CIDR mask
Is there an existing issue for this?
Current Behavior
Hello,
Via Kibana dashboards (for example : SN-FILE-Transactions), when you try to filter content depending on an IP field, it works without issue with a specific IP (like "dest_ip: 8.8.8.8" or "not dest_ip: 8.8.8.8"), BUT it does not work with CIDR filtering (example "dest_ip: 192.168.0.0/16" or "not dest_ip: 192.168.0.0/16")
Which, seems really strange since by default, on all other elasticsearch index mappings, a field IP can always be filtered with CIDR (eg. elasticsearch documentation https://www.elastic.co/guide/en/elasticsearch/reference/7.17/ip.html)
On the SELKS docker implementation at least, if we try to filter with "dest_ip: 192.168.0.0/16" we get shard exeption errors as follow :
query_shard_exception at shard 0index logstash-fileinfo-2024.07.30node zG64wDeYSXqMvXshrIkLiA
Type
query_shard_exception
Reason
Failed to parse query [dest_ip: 192.168.0.0/16]
Index uuid
S1qgMZ3GTP63zrkDFacSqA
Index
logstash-fileinfo-2024.07.30
Caused by type
parse_exception
Caused by reason
Cannot parse 'dest_ip: 192.168.0.0/16': Lexical error at line 1, column 24. Encountered: after : "/16"
Caused by caused by type
token_mgr_error
Caused by caused by reason
Lexical error at line 1, column 24. Encountered: after : "/16"
This type of error induce a potencial error on index mapping creation, or index template usage, or index mapping ... inside the elasticsearch database settings.
Expected Behavior
being able to filter IP fields using CIDR filters.
Steps To Reproduce
Docker version
Docker version 27.1.1, build 6312585
Docker version
Docker Compose version v2.29.1
OS Version
Debian GNU/Linux 12 (bookworm)
Content of the environnement File
COMPOSE_PROJECT_NAME=selks
INTERFACES= -i bond1
ELASTIC_MEMORY=64G
SCIRIUS_SECRET_KEY=
PWD=${PWD}
Version of SELKS
commit 4af455c (HEAD -> master, origin/master, origin/HEAD)
Author: Peter Manev [email protected]
Date: Thu Jun 13 13:18:18 2024 +0200
Anything else?
No response
The text was updated successfully, but these errors were encountered: