Search template into painless script

mattia_conversano · August 23, 2019, 3:12pm

Hi Team,

I'm new with Elasticsearch, I'll explain my problem;

I currently have two types of documents in the "modsec" index

the first has (in its fields) an array of strings like this:

"m_data": [
"test@test.it' and 1=1 -- ",
"password' or 1 =1 -- "
]

the second has a string like this:
"argument": "SELECT username,password FROM utente where username = 'test@test.it' and 1=1 -- '"

my purpose is to find the queries (second type of document) that contain one of the values of m_data.

I thought of using a search template like this:

POST _scripts/search_query
{
  "script": {
    "lang": "mustache",
    "source": {
      "query": {
        "bool": {
          "must": [
            {
              "match_phrase": {
                "argument": "{{query_string}}"
              }
            }
          ],
          "filter": {
            "term": {
              "command": "query"
            }
          }
        }
      }
    }
  }
}

in a Painless script like this:

GET modsec/_search
{
  "query": {
    "match_all": {}
  },
  "script_fields": {
    "malicious queries": {
      "script": {
        "lang": "painless",
        "source": """
          for (int i = 0; i < doc['m_data'].length; ++i) {
                result = #something to call search_query with doc['m_data'][i];
          }
          return result;
        """
      }
    }
  }
}

Is it the right way to proceed or is there an easier way?

Thank in advance,
Mattia

rjernst · August 30, 2019, 4:52pm

It sounds like you are trying to do a join. There isn't a way to make external calls from within a script; this would be extremely expensive. In particular, it would mean doing a search request for every document in your index since you are using a match_all query.

You'll need to do this client side, and it would be better to restrict your original query with some type of filter or search so that the data returned is a reasonable size. You can then craft a single followup query. Another possibility is to model your data differently to use the join field type. You might also consider checking out our new SIEM offering.

system · September 27, 2019, 4:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.