NetWitness Community

JoeGumke · ‎2017-02-21

We have a need to look for wildcard matches in a string array within an ESA correlation alert.

I can get the string value to match using the syntax below, but need to get a wildcard match as we need to see matches of domains that match prior to this value.

Syntax for static match of 'maliciousdomain'. Need to get a wildcard to match anything before 'maliciousDomain'.

@Description('')
@RSAAlert(oneInSeconds=0)

        SELECT * FROM Event(
            medium = 1
            AND ('maliciousDomain' = ALL( alias_host )));

Anonymous · ‎2017-02-21

Do you mean something like "bad.maliciousdomain.com" or "really.bad.maliciousdomain.com" ?

JoeGumke · ‎2017-02-21

Hey chris,

Yes sir.

Anything that ends with "maliciousdomain.com", or "*maliciousdomain.com"

LeeKirkpatrick · ‎2017-02-22

Hey Joseph,

For this, you would need to use a lambda expression like the below to iterate through the elements in the array:-

SELECT * from Event(alias_host.AnyOf(a=> a.toLowerCase().contains('maliciousdomain')))

I added the java.lang.String Method toLowerCase() to make the match case insensitive but you can remove if it is not necessary.

This syntax can also be edited to use any operator, e.g.:-

SELECT * from Event(alias_host.AnyOf(a=> a LIKE '%maliciousdomain.com'))

Cheers,

Lee

Anonymous · ‎2017-02-22

Another way to do this would be outside of ESA entirely. You could create application rules on your packet decoders that specifically look for the domain of interest.

name=maliciousdomain rule="alias.host ends 'maliciousdomain.com'" alert=alert type=application

Then, just have ESA look for alert = 'maliciousdomain' since it will already be meta at that point.

You could also look for the root host for any and all sessions where alias.host is populated. I wrote a parser to help with that. The purpose being that if I wanted to exclude any domain, I could. This uses a custom meta key called 'root.host', so an index change on the concentrators would be needed if you wanted to query against it.

The parser works by performing a meta callback against 'alias.host' and then examining the location of all the dots in the hostname. It then compares the last position against the TLD's listed in a table and then moves to the left if found.

Since this is just performing a meta callback, it can work on both packet and log decoders.

Chris

JoeGumke · ‎2017-02-22

thanks lee. I tried both variations of what you had posted above, and both do not work.

LeeKirkpatrick · ‎2017-02-22

Hey Joseph,

Are you able to post the whole EPL rule so I may take a look?

Cheers,

Lee

JoeGumke · ‎2017-02-22

Hi Lee,

this is it:

@Description('')
@RSAAlert(oneInSeconds=0)

SELECT * from Event(
medium = 1
AND alias_host.AnyOf(a=> a LIKE '%maliciousDomain.com'));

LeeKirkpatrick · ‎2017-02-22

Thanks.

Was the issue the rule did not deploy? Or that the rule did not alert when deployed?

JoeGumke · ‎2017-02-22

Hi Lee,

The rule deploys onto the ESA just fine, it's that the rule does not fire properly when injecting packets.

NetWitness Community

ESA - Wildcard in String Array