NetWitness Community

HidayatLalBaz · ‎2018-04-11

Hello everybody,

I hope you can help me out.
I have created a rule in EPL that should trigger whenever the corresponding event occurs in one of the metafields. I would also like to receive an alarm if a certain IP range occurs. In order not to list the entire IP range, I would like to use RegExp here. Can either of you tell me how to integrate RegExp into my rule?

My code looks like this, but unfortunately I get a syntax error:

SELECT * FROM
Event(
medium = 32 AND
ec_activity = 'Logon' AND
ec_theme = 'Authentication' AND
ec_outcome = 'Failure' AND
result = 'failed publickey' AND

(matchRegex(device_ip, "(10\.169\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))")) AND
user_dst IS NOT NULL AND
host_src IS NULL
).std:groupwin(user_dst_hash , device_ip , device_host).win:time_length_batch(120 seconds, 3) GROUP BY user_dst_hash , device_ip , device_host HAVING COUNT(*) = 3;

jeffshurtliff · ‎2018-04-11

Hi Hidayat,

I have moved this thread to the RSA NetWitness Platform" data-type="space so that you can get an answer to your question.

You can post future questions and discussions directly to that community by clicking on the Ask a Question or Start a Discussion button on the RSA NetWitness Platform" data-type="space page.

Thanks,
Jeff

JoshRandall · ‎2018-04-11

Hi Hidayat,

You are looking to match against anything in the 10.169.0.0/16 range, yes?

One issue with your match statement - it will not match against the full 0-255 range in the last octet, only against the first digit in the octet.

For example:

10.169.255.1 à this would match fully

10.169.255.100 à this would match only to "10.169.255.1”

10.169.255.255 à this would match only to "10.169.255.2”

You can fix this by either adding string beginning (^) and string end ($) tokens to your regex:

(^10\.169\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$)

Or by using a different regex that does not need them:

(10\.169\.[0-9]{1,3}\.[0-9]{1,3})

A second potential issue I see with the rule is that you are grouping by user_dst_hash. If you have not set up data obfuscation on the user.dst meta key, then user.dst.hash meta will not be available for ESA. I'd recommend you double-check that meta is available in ESA.

Lastly - if you want to group by distinct user.dst values, you could change your grouping statement to:

.std:groupwin(device_ip , device_host).win:time_length_batch(120 seconds, 3).std:unique(user_dst) GROUP BY device_ip , device_host HAVING COUNT(*) = 3

Let us know if this works for you.

Mr. Mongo

SravanKoneti1 · ‎2018-04-12

On top of Jashua's recommendations.

https://community.rsa.com/docs/DOC-85694 document might help on ip regex for EPL.

HidayatLalBaz · ‎2018-04-18

Hi Joshua,

I was very grateful for your quick support, thank you very much.

Your help was great, the EPL-"compiler" doesn't report a syntax error anymore. Right now, I'm testing to see if the rule works.

Kind regards

Hidayat

HidayatLalBaz · ‎2018-04-18

Hi Sravan,

thanks for your help and the nice tip.

Kind regards

Hidayat

HidayatLalBaz · ‎2018-04-19

Hi Joshua,

everything's working fine. Thanks for the help.

DeepakShukla2 · ‎2019-07-12

Hi Joshua,

Just to test the internal traffic, have created below, rule is saved but not thoroughing any alert. Don't know what's wrong here. Your suggestions will be highly appreciated!

@Name('test-internal')
@RSAAlert(oneInSeconds=0)

SELECT * FROM Event
(
device_class IS NOT NULL
AND (matchRegex(ip_src, "(10\.[0-9]{1,3}|172\.(3[01]|2[0-9]|1[6-9])|192\.168)\.[0-9]{1,3}\.[0-9]{1,3})"))
AND (matchRegex(ip_dst, "(10\.[0-9]{1,3}|172\.(3[01]|2[0-9]|1[6-9])|192\.168)\.[0-9]{1,3}\.[0-9]{1,3})"))
)
.std:groupwin(ip_src, ip_dst)
.win:time_length_batch(60 seconds, 200)
GROUP BY ip_src, ip_dst
;

JohnSnider · ‎2019-07-12

Though not an answer for using regex for an IP range in EPL, I highly suggest tagging any IP ranges using either a Feed or Application Rule on the Decoders (Log, Network or Endpoint), some of this may already be done if you have configured the traffic_flow_options.lua file to recognize your internal networks, they would then be tagged in both the 'netname' key buy "name src" or "name dst" and the 'direction' key for "inbound","outbound", & "lateral"

Let the decoders do the heavy lifting instead of making complex regex like queries in EPL, it's more efficient.

JoshRandall · ‎2019-07-12

Hi Deepak,
I highly recommend https://regex101.com/. I think I’ve used that tool for pretty much every single regex I’ve ever written.

A simple copy/paste of your matchRegex statements into regex101 shows that you have an unmatched parenthesis at the end of each:

This is caused by a right parenthesis ")" in the middle of your regex (after the 192\.168\.) that should not be there.

That said, I'll echo what John Snider‌ says below about using feeds and/or app rules and/or the traffic_flow_options.lua file to tag your ip ranges with meta and use that meta in your ESA rules. Let your decoders do as much of the heavy lifting as you can.

Mr. Mongo

NetWitness Community

How do I enter an IP range in EPL using RegEx?