This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Regex to many hits

PhilFinn
Beginner
Beginner

‎2014-02-12 02:50 PM

I am trying to create an Informer rule that will feed a Informer alert.  I am basically looking for a direct to IP http connection followed by a query string that contains a "/" followed by 44 alpha or numeric string.  This is what I wrote as the rule:

 

query regex \/[a-z0-9]{44} && risk.suspicious = 'direct to ip http request'

 

It works but I am also getting stuff like the attached file being flagged.  Can anyone tell me what I am doing wrong?

Preview file
2 KB
0 Likes
4 REPLIES 4

RSAAdmin
Beginner
Beginner

‎2014-02-13 12:49 PM

Do you have multiple "query" meta in the session that is flagged?  If so, only one meta needs to hit in order to cause that session to return as a result.

0 Likes

PhilFinn
Beginner
Beginner
In response to RSAAdmin

‎2014-02-13 01:02 PM

Nope that is the only query for this session which is why I was confused.  I can't see how this could have triggered.


0 Likes

SeanKoniarz
Beginner
Beginner
In response to PhilFinn

‎2014-02-19 07:59 AM

Possibly hitting some limit that informer is setting without you knowing?  I am using SA so I can't test it but on regexpal your correctly formatting everything. 

0 Likes

huanzhou1
Beginner
Beginner
In response to SeanKoniarz

‎2014-04-07 10:24 AM

can you share the pcap so maybe we can test?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.