This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

EPL Advanced Rule

Anonymous
Not applicable

‎2017-03-01 05:07 PM

I am creating a simple rule with the below syntax, the rule was copied from a working basic rule and it is not firing as advanced rule, why???

 

@Description('')
@RSAAlert(oneInSeconds=0)

SELECT * FROM Event(
/* Statement: test */
(eth_src .toLowerCase() IN ('00:50:56:01:2F:F5'))

)

;

0 Likes
2 REPLIES 2

LeeKirkpatrick
Valued Contributor Valued Contributor
Valued Contributor

‎2017-03-02 05:26 AM

Hi Bechara,

 

In the rule, the Java.Lang String Method .toLowerCase() has been used; this converts all metadata to lower case. Meaning that the MAC address you are looking for - 00:50:56:01:2F:F5 - needs to be in lower case - 00:50:56:01:2f:f5 - for this rule to work as expected.

Cheers,

Lee

0 Likes

Anonymous
Not applicable
In response to LeeKirkpatrick

‎2017-03-02 07:21 AM

thanks LEE, but the syntax is copied from a basic rule, with same syntax.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.