Anyone who has searched PacketTotal.com has probably experienced frustration with finding relevant results. Up until this point creating specific queries was impossible because the field names displayed in the analysis console are not the same as those used on the backend. So running a search like Target IP: 184.108.40.206 simply would not work because "Target IP" exists as the field "id_resp_h" within ElasticSearch.
SearchBuilder bridges this gap, allowing you to build complex Lucene Queries to search our database.
For example, you could craft a query to return results of PCAPs containing suspicious executables with the below query.
|_type:pe AND os:*Windows* AND (section_names:*UPX* OR section_names:*TLS*)) OR alert_signature:*exe*|
This particular query checks for PCAPs containing at least one Windows executable which contains UPX (common packer) OR TLS (common anti-debugging technique) section. It will also return results if the Alert Signature from Malicious Activity (signature_alerts) contains the keyword .exe.
|(_type:irc AND NOT id_resp_h:6667) OR (_type:signature_alerts AND alert_signature:*irc*)|
The SearchBuilder interface is fairly intuitive. To get started, click the dropdown arrow directly below the search bar located on the search page.
Select a template from the templates dialog. This will populate all the fields available for search within the selected template. Due to the way the backend schema is designed you cannot AND fields from multiple templates together. For example combining fields for an HTTP specific URI AND a FTP specific target port will not work, as no one document will contain both of these fields. You could however, OR fields from multiple templates together without an issue.
SearchBuilder is yet another tool to improve the intelligence being gathered from this tool. Please feel free to email me with improvements or suggestions.
Post a Comment