NetWitness Community

supportsoc · ‎2020-08-06

Hello Team,

I am getting an error while executing the below advanced EPL rule, please help me out.

@RSAAlert(oneInSeconds=0)

SELECT * FROM

Event (

medium = 1

AND device_type='checkpointfw1'

AND ip_src IS NOT NULL

AND ip_dst IS NOT NULL

AND action IS 'accept'

AND alert_id IS 'TS-Outbound'

AND (port_dst_all= 22,3389)

FOLLOWEDBY action IS not 'drop'

).std:groupwin(ip_src)

.win:time_length_batch(100 sec, 1)

.std:unique(ip_src)

GROUP BY ip_dst

HAVING count(ip_src) = 1

;

ERROR : Syntax error in module. Unrecognized control characters found in text, failed to parse text

DaveGlover · ‎2020-08-06

Unless something has changed you can not use entity keys in EPL rules.

This must be changed -> port_dst_all= 22,3389 to something like ip.dstport in (22,3389)

Also action is an array key so it must be written like this -> (isOneOfIgnoreCase(action,{ 'accept' }))

supportsoc · ‎2020-08-06

Hi, Thanks for the reply.. Still a new error

Syntax error in module. Incorrect syntax near 'FOLLOWEDBY' expecting a closing parenthesis ')' but found an identifier at line 11 column 2, please check the filter specification within the from clause [@RSAAlert(oneInSeconds=0)
SELECT * FROM
Event (
medium = 1
AND device_type='checkpointfw1'
AND ip_src IS NOT NULL
AND ip_dst IS NOT NULL
AND (isOneOfIgnoreCase(action,{ 'accept' }))
AND alert_id IS 'TS-Outbound'
AND ip.dstport IN (22,3389)
FOLLOWEDBY (isNotOneOfIgnoreCase(action,{ 'drop' }))
).std:groupwin(ip_src)
.win:time_length_batch(100 sec, 1)
.std:unique(ip_src)
GROUP BY ip_dst
HAVING count(ip_src) = 1]

JoshRandall · ‎2020-08-06

I may be wrong, but I don't believe FOLLOWEDBY is valid EPL language.

I don't want to assume I know exactly what you're trying to do here, so….what scenario or traffic pattern are you trying to alert against?

Mr. Mongo

JohnSnider · ‎2020-08-06

medium=1 is packets(network), so are you looking at packet sessions or log events? If logs, then medium=32.
device_type is a normally a log key, written by log parsers, unless you are writing something into that from a feed or rule based on packet meta, so you seem have mixed keys in here
alert.id is an array key, so had to be queried as such (furthermore, you should NOT be writing any custom data to alert.id, it is an internal key used to evaluate our internal nw##### values with the "investigation" feed to add information to multiple fields (analysis.service, analysis.session, ioc,eoc,...) use a custom key of your own for writing meta to from app rules and feeds.
FOLLOWEDBY is really a "MATCH RECOGNIZE" function, (you could have written this whole query in Rule builder first and then converted it to an advanced rule to tweak the timing of the match)

Try this if you are doing log data, if packet, change medium to 1

SELECT * FROM Event(

(medium IN ( 32 )
AND device_type IN ( 'checkpointfw1' )
AND ip_src IS NOT NULL
AND ip_dst IS NOT NULL
AND isOneOfIgnoreCase(action,{ 'accept' })
AND ( 'TS-Outbound' = ANY( alert_id ) )
AND ip_dstport IN ( 22 , 3389 ))
OR
(isNotOneOfIgnoreCase(action,{ 'drop' }))
).win:time(100 Seconds)
MATCH_RECOGNIZE (
PARTITION BY ip_src
MEASURES E1 as e1_data , E2 as e2_data
PATTERN (E1 E2)
DEFINE
E1 as (E1.medium IN ( 32 ) AND E1. device_type IN ( 'checkpointfw1' ) AND E1.ip_src IS NOT NULL AND E1.ip_dst IS NOT NULL AND isOneOfIgnoreCase(E1.action,{ 'accept' }) AND ( 'TS-Outbound' = ANY( E1.alert_id ) ) AND E1.ip_dstport IN ( 22 , 3389 )),
E2 as (isNotOneOfIgnoreCase(E2.action,{ 'drop' }))
);

This will find either event happening in the time frame, but only trigger if event1 happens then is followed by event 2

NetWitness Community

Error while executing an Advanced EPL rule