Welcome to the Aanval Wiki. Snort, Suricata and Syslog Intrusion Detection, Situational Awareness and Risk Management.

Visit http://www.aanval.com/ for more information.

Aanval:Advanced Search Help

From Aanval Wiki
Jump to: navigation, search

The Advanced Search feature of Aanval uses a combination of plain text searching and specialized keywords to help users locate the specific events they are looking for. The Advanced Search system is accessible from anywhere within the Aanval console as well as the Event Browser display.

Additionally, the reporting capabilities of Aanval are also based off the Advanced Search system. Reporting can be performed using the same keywords and plain text searches as the Advanced Search system to find desired and detailed information for necessary report output.

  • All keywords require a colon (:) and may optionally require an additional parameter.
  • String and text searches do not require a colon.
  • Keywords and strings can be mixed and matched in any combination.

Please take a moment to familiarize yourself with the available keywords and combination structures of Aanval. This will greatly enhance your efficiency at locating the information you need and generating accurate reports.

Event Management: Delete

Keyword Function
delete: Added to the end of a query, delete: will mark all events for deletion associated with query prefix.

Results: Sort

Keyword Function
asort: Sorts results by creation date in ascending order
dsort: Sorts results by creation date in descending order

IP Address and Port

Keyword Function
sip:192.168.100.25 Searches the system for all events with a source IP address of 192.168.100.25.
dip:192.168.100.25/24 Searches the system for all events with a source IP address in 192.168.100.25/24.
sport:3535 Searches the system for all events with the source port 3535.
dport:80-100 Searches the system for all events with a destination port between 80 and 100.
sip:10.1.1.5 !dport:80 Searches the system for all events with a source IP address of 10.1.1.5 and not a destination port of 80.
dport:80,443,3306 Searches the system for all events with a destination port of 80, 443, or 3306.

Reporting

The "report:" keyword can be added to any search to automatically trigger the reporting engine.

Keyword Function
report: today: Generates report of events that occurred within the current day (12:00am -> Current Time).
report: sport:3535 Generates report of events with a source port of 3535.
report: dport:80 sip:1.2.3.4 Generates report of events with a destination port of 80 and a source IP address of 1.2.3.4.

Risk/Priority/Level

The terms "risk," "level," and "priority" can be used interchangeably while searching what is generally referred to as risk. For the examples below, "risk" will be used.

Keyword Function
risk:1 Searches the system for all events marked as risk 1.
risk:1,3 Searches the system for all events marked as risk 1 and 3.
risk:1-3 Searches the system for all events marked with a risk in the listed range (1, 2, and 3).
!risk:1 Searches the system for all events not marked as risk 1.
!risk:1,2 Searches the system for all events not marked as risk 1 or 2.
!risk:1-3 Searches the system for all events not marked with a risk in the listed range (1, 2, and 3).

String/Text

Keyword Function
microsoft Searches the system for all events that include the word "microsoft".
web attack Searches the system for all events that include the words "web" and "attack".
attack !attempt Searches the system for all events that include the word "attack" and not "attempt".

Time and Date

Keyword Function
today: Limits search results to events that occurred within the current day (12:00am -> Current Time).
yesterday: Limits search results to events that occurred yesterday (12:00am -> 11:59pm of previous day).
lastweek: Limits search results to events that occurred within the last 7 days.
lastmonth: Limits search results to events that occurred within the last 30 days.
lastquarter: Limits search results to events that occurred within the last 90 days.
lastyear: Limits search results to events that occurred within the last 365 days.
date:05/15/2014-05/20/2014 Limits search results to events that occurred between May 15th and May 20th, 2014, those dates acting as the event borders themselves; events occurring on those dates (the borders, the 15th and 20th of May) will not be displayed. To include events that occurred between the range of dates and on the dates specified, add additional days to broaden the borders of the query. For example, our query was for events between May 15th and May 20th; to include the 15th and 20th as part of that range, query the day before and the day after: 05/14/2014-05/21/2014. Even if the query needs to contain past events up to today, add tomorrow as the last date/border: date: 05/15/2014-today's/date
lasthour: Limits search results to events that occurred within the last 60 minutes (1 hour).
lasthour:5 Limits search results to events that occurred within the last 300 minutes (5 hours).

Miscellaneous

Keyword Function
sensor:1 Searches the system for all events logged on sensor 1.
recent:1000 Limits search results to the most recent 1000 events.
store:1001 Limits search results to events logged in datastore 1001.
event:10023 Displays event 10023 and its details.
event:1000-1200 Limits search results to events with IDs within the range 1000-1200.
module:1 Searches the system for all events recorded via module 1 (Snort). Use 2 for syslog.
signature:1491 Searches the system for all events with the signature ID of 1491.
payload:hello Searches the system for all events with a payload that includes the word "hello" anywhere in the string.
category:3 Searches the system for all events with a Category of 3.
seq:1285636228 Searches the system for all events with a sequence number of 1285636228.
ack:3488219853 Searches the system for all events with an acknowledgement number of 3488219853.
ttl:40 Searches the system for all events with a time-to-live of 40.
win:17376 Searches the system for all events with a window size of 17376.
len:1500 Searches the system for all events with a length (protocol, header length, etc.) of 1500.

See Also