{tbl.open,width:100%,align:center,heading:Console Help} Here you will find help and documentation regarding console features and options.

You may also find solutions to problems by looking for (HELP) images located throughout the console.

{advCom} {tbl.close}

  {tbl.open,width:100%,align:center,heading:Frequent Help Topics} Advanced Search Language ( Searching & Reporting )
 
Keywords (text search / match)
web attack Searches the system for all events which include the words 'web' AND 'attack'
 
Keywords (time)
today: Limits search results to events which occured within the current day (12:00AM -> Current Time)
yesterday: Limits search results to events which occured yesterday (12:00AM -> 11:59PM of previous day)
lastweek: Limits search results to events which occured within the last 7 days (12:00AM of 7th previous day -> Current Time)
lastmonth: Limits search results to events which occured within the last 30 days (12:00AM of 30th previous day -> Current Time)
lastquarter: Limits search results to events which occured within the last 90 days (12:00AM of 90th previous day -> Current Time)
lastyear: Limits search results to events which occured within the last 365 days (12:00AM of 365th previous day -> Current Time)
date:5/28/07-5/30/07 Limits search results to events which occured between May 28th, 2005 and May 30th, 2005
recent:1000 Limits search results to the most recent 1000 events
 
Keywords (data)
delete: sip:1.2.3.4 Marks all events with a source IP address of 1.2.3.4 for deletion
 
Keywords (report)
report: today: Generates report of events which occured within the current day (12:00AM -> Current Time)
report: sport:3535 Generates report of events with a source port of 3535
report: dport:80 sip:1.2.3.4 Generates report of events with a destination port of 80 and a source IP address of 1.2.3.4
 
Keywords (general)
eventid:10023 Displays details of event with a database id of 10023
sensor:1 Searches the system for all events with recorded on Sensor #1
sip:192.168.100.25 Searches the system for all events with a source IP address of 192.168.100.25
dip:192.168.100.25/24 Searches the system for all events with a destination IP address in 192.168.100.25/24
sport:3535 Searches the system for all events with a source port of 3535
dport:80-1000 Searches the system for all events with a destination port between 80 and 1000
level:3 Searches the system for all events with a risk level of 3
module:1 Searches the system for all events recorded via module 1 (snort) [use 2 for syslog]
signature:1491 Searches the system for all events with a signature id of 1491
category:3 Searches the system for all events with a category of 3
seq:1285636228 Searches the system for all events with a sequence number of 1285636228
ack:3488219853 Searches the system for all events with an acknowledgement number of 3488219853
ttl:40 Searches the system for all events with a time-to-live of 40
win:17376 Searches the system for all events with a window size of 17376
len:1500 Searches the system for all events with a length (protocol, header length, etc) of 1500
 
Keywords (sorting)
asort: hello Searches the system for all events which include the text 'hello' and returns them sorted in ascending order
dsort: dport:1212 Searches the system for all events with a destination port of 1212 and returns them sorted in descending order
 
Misc
dport: 80,443,3306 Searches the system for all events with a destination port of 80 or 443 or 3306
 
Exclusions
sip:10.1.1.5 !dport:80 Searches the system for all events with a source IP address of 10.1.1.5 and not a destination port of 80
attack !attempt Searches the system for all events which include the word 'attack' and not the word 'attempt'

* Note: You can combine most of the above keywords together to form an advanced search. {tbl.close}