1. Describe your incident:
I am trying to run a search which will return all SQL-injection related suricata signatures. This would include those that are of different categories, whether they be ET WEB_SERVER, TGI HUNT, etc.
2. Describe your environment:
Server OS is CentOS Linux 7 (Core)
The Graylog Version v4.2.6
RPM is Linux 3.10.0-1160.53.1.el7.x86_64
3. What steps have you already taken to try and solve the problem?
In the suricata_signature_id field, I’ve tried to run a regex search, the following
suricata_signature: /SQL/
But did not yield any results.
I also tried a Full Text Search:
suricata_signature: SQL
Also no results
And finally,
suricata_signature_id: *SQL
(with wildcard symbol before and also after SQL, I had to remove the one after the word SQL because the word would have been italicized and I wanted to show at least one wildcard symbol).
The error message said that wildcards cannot be the first character in the search.
4. How can the community help?
I need help modifying this, as I’ve tried many different options. I know Graylog’s syntax is based off of Lucene, but I’m just having difficulty making this work. Thank you.