2016-09-06 11:28 AM
I have a question about how the query function in Investigator is supposed to work.
If I do a query on a meta value like ip.src such as: ip.src = 128.177.108.37
The results will show just 128.177.108.37 in meta value Source IP Address (ip.src) along with everything associated with it within investigator.
However, if I do the same kind of filter on a meta key like "filename" like so: filename = 'index.php'
I get that entry listed in the filename meta value plus lots of other file names.
Shouldn't it filter out all the other filenames? Or is this SOP for the way Investigator queries work?
Currently running 10.6.1.0 BTW.
2016-09-06 01:22 PM
Hi this is working as expected.
Let me explain a bit further.
when you do filename = 'index.php' what you are asking is "return me all sessions where there is a filename containing index.php" In a session there can be more than one filename. For example in a web session then many different files may be contained.
This is why when you may see more than one filename in a session (and get other filenames returned)
A Session can only have one source IP and destination IP associated with it, and so this is why you only get one ip shown in these cases.
Hope that is clear.
In general a session is:
1) A single log line
2) Anything that happens between the TCP three way handshake and when the TCP Connection is terminated.
3) A UDP Packet.
2016-09-06 02:28 PM
OK, that makes some sense.
I was under the impression it was similar to a database query where I'm asking NW to give me anything that had a file with the filename "index.php". That was how I looked at what the Meta Key "filename" represented.
Never really paid much attention to queries that delved into more that IP, Service Type, Source & Destination countries & Hostname Alias Records. Been delving more into the latest Live feeds that just came out (like KeyBase KeyLogger) and in that feed part of the query has "filename = 'post.php'..." We fortunately haven't had that kind of malware hit us, so I was testing it with other filenames like "index.php" and saw the odd result I was asking about.
Thanks again for the response.