This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Any ESA experts willing to lend a hand?

KeithDixon
Beginner
Beginner

‎2015-07-07 05:10 PM

I'm a bit perplexed on this one. The last time recently I ran across this same error, I figured a way around by taking out the value to which I was trying to have in the rule. But....

 

I've constructed a scenario I want to create a rule against and I'm unsure how to do as such:

 

SELECT * FROM

Event(

medium = 32

AND

threat_source = <insert threat source value here>

AND

traffic_direction = <Internal to external>

AND

                 action = 'tcp_hit'

  );

 

Syntax passes with flying colors!


I go to sync the rule and it starts off out of the gate disabled (discovered recently there are two tollgates to getting a rule deployed).

 

The error message states as such:

 

Esper deployment of module "<Keith's first super awesome advanced rule>" (id=559c3ce3f2803e7bd95fd4ba) failed. Reason: Deployment failed in module 'Module_1999090174_Alert' in module url '559c3ce3f2803e7bd95fd4ba' in expression '@RSAAlert(oneInSeconds=0, identifiers={"user_dst"}...(221 chars)' : Implicit conversion from datatype 'String' to 'String[]' is not allowed [@RSAAlert(oneInSeconds=0, identifiers={"user_dst"})

 

SELECT * FROM

Event(

medium = 32

AND

threat_source = <insert threat source value here>

AND

traffic_direction = <Internal to external>

AND

                 action = 'tcp_hit'

)]


Previous attempt on such a rule, I had to go to the Settings --> Meta key reference and find which one was the 'String[]'


Unfortunately, for the scenario I am trying to make a rule for, the action meta is vital (and of course, it's the action meta that's the 'String[]')


Any help and/or guidance would be greatly appreciated.

10 REPLIES 10

Anonymous
Not applicable

‎2015-07-08 08:39 AM

Why do you use the placeholders in the brackets?

Here, the criteria have to be used.

 

 

SELECT * FROM

     Event(

               medium = 32

               AND

               threat_source

                    in ('netwitness', 'rsa-firstwatch', '... all the other stuff you need')

               AND

               traffic_direction in ( 'Internal','external')

               AND

                action = 'tcp_hit'

       );



regards

davme

0 Likes

KeithDixon
Beginner
Beginner
In response to Anonymous

‎2015-07-08 09:32 AM

The brackets were just my attempt at a "variable of my choosing". (I could have used threat_source = $threat_source_value).


The real rule does look something like what you said, but....

 

It's the action meta key that it's barking about... and it's a key piece in forming the scenario I want to alert against.

 

I was playing around with another scenario recently in practice and I ran across the same thing, the /var/log/messages indicated Implicit conversion from datatype 'String' to 'String[]' is not allowed.

 

For the test case, I figured out the value it didn't like and removed it (testing and learning). But in this case, that meta key is pretty crucial.

 

The bottom line, I need to find a way to still be able to use a String[] value with other String value (action meta used with threat_source in this case).

0 Likes

Anonymous
Not applicable
In response to KeithDixon

‎2015-07-08 10:14 AM

Maybe it is an operator issue?

 

check this out

http://www.espertech.com/esper/release-5.1.0/esper-reference/html/epl-operator.html

section  9.7. The 'in' Keyword

 

 

'=' compares to a single value like a singular String

'in' compares to a list of values like an array String[]

KeithDixon
Beginner
Beginner
In response to Anonymous

‎2015-07-08 05:27 PM

It was an operator issue.

 

I did take the scenic route on the solution.

  1. Download 90 rules from RSA Live
  2. Copy syntax from all into new Notepad++ Portable windows (data is still there after you shut it down.... nice hidden feature)
  3. Find out in the meta reference what the String arrays are.
  4. Search through all the open documents in Notepad++ for action


The final answer was as follows:


                                (

'tcp_hit' IN (action)

)

 

That got past the 2nd toll gate and the rule enabled.

RSAAdmin
Beginner
Beginner
In response to KeithDixon

‎2015-09-09 06:24 AM

Managed to avoid the scenic route thanks to your efforts, appreciated!

Anonymous
Not applicable
In response to RSAAdmin

‎2015-10-09 03:19 AM

You have to use IN() because meta action is defined as an array of String (action=[Ljava.lang.String).

 

Types of meta are defined in ESA / Explore / CEP / Engine / Configuration / StreamTypeMappings.

 

So, you also have to use IN() for these meta :

  • username
  • alias_ipv6
  • alias_ip
  • email
  • alias_host
  • action

AlexeyFedorov
Frequent Contributor
Frequent Contributor

‎2016-06-06 05:52 AM

How should looks my list if I would like use alias_host not equal 'x', 'y' and 'z'?

alias_host NOT IN ('x','y','z') not works.

DavidWaugh1
Employee
Employee
In response to AlexeyFedorov

‎2016-06-06 06:15 AM

Morning Alexey,

 

Have you tried using the syntax that is generated when you use the basic rule builder.

 

When I tried this I got the following code generated:

 

SELECT * FROM Event(

            /* Statement: Alias Host */

            (isOneOfIgnoreCase(alias_host,{ 'x' , 'y' , 'z' }))

           

        )

AlexeyFedorov
Frequent Contributor
Frequent Contributor
In response to DavidWaugh1

‎2016-06-06 06:25 AM

Hello David,

 

I've been not tried. This is good way to solve issue. Correct is:

 

          (isNotOneOfIgnoreCase(alias_host,{ 'x' , 'y' , 'z' }))

© 2022 RSA Security LLC or its affiliates. All rights reserved.