Feature Request: Chain Filters

Question

Feature Request: Chain Filters

Opened this issue 11 years ago · 4 comments

As far as I'm aware, you are only able to use one custom filter in the new filter system. I've tried chaining them with ,, and, and &&, but the first filter is always the one which is applied.

Answer 1 · 2013-04-17T17:19:51.000Z

For now you can just chain on a distinct filter, for example "sip
ip1,ip2,ip3". I plan on adding chaining functionality outside of that
constraint, like "sig malware,current_events cc cn,lv,ru" but just haven't
got around to it.

Can you give me a feeling of what you want to do? Have you tried creating
your own filter to achieve it?

On Wed, Apr 17, 2013 at 2:10 PM, idboehman notifications@github.com wrote:

As far as I'm aware, you are only able to use one custom filter in the new
filter system. I've tried chaining them with ,, and, and &&, but the
first filter is always the one which is applied.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/27
.

Answer 2 · 2013-04-17T17:34:38.000Z

What I was trying to do was the following:

We're still fine tuning our suricata/securityonion install here and so I was making custom filters for our noisy rules. For example, not_surst filters out any events with a signature like SURICATA STREAM and not_url filters any signature id's equal to 420042. I was trying to write a query/filter such as not_url and not_surst. It's simple enough to write a query that'll do this for me, but I thought I'd try chaining them first. In fact, those filters above are so single use it's easier to just create one for both.

Related to the above, how do I filter events based on what sensor they come from? Right now I'd like only suricata/snort events to show up, as there's one signature/event which fires on every single url visited (I believe related to bro).

Thanks again for all your work on Squert, it's very appreciated!

Answer 3 · 2013-04-17T17:50:26.000Z

I have been thinking about that a bit but haven't put anything to paper yet. For now you could just figure out the sid's for your sensor table via mysql:

SELECT sid,agent_type FROM sensor

Once you have these you could make a filter that looks like (sid IN(1,3,5,7,19) AND ...)

I have a couple things I need to clean up yet but once they are done I will look at making both of the items a little easier

Answer 4 · 2013-04-17T18:04:07.000Z

Gotcha, thanks! I ended up just disabling http_agent as well as autocategorizing them (as suggested in the securityonion walkthrough, should have read that a bit closer), so hopefully that takes care of the noisy URL rule.

The reason I asked about the sensor filter was because I thought it used to be a feature of Squert at one point, maybe on the Query page, which the filters have replaced.