This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

RSA SA ESA advanced rule contains operator

OwenCheng
Beginner
Beginner

‎2016-05-02 12:23 PM

I created a ESA advanced rule to detect command "monitor session" from Cisco ACS device. The rule requirement is simply, but i have to use Advanced one, because meta "Action" is an array.

 

Here below the code, I got it from other post. I can sync to ESA, but it doesnt seems working. No alert is generated. Where is going wrong? please help

 

Thanks a lot

 

***********************************************

 

SELECT * FROM Event WHERE

action.anyOf(i => i.contains("monitor session")) and device_type IN ('ciscosecureacs');

 

***********************************************

 

Log sample:

 

Apr 28 17:07:01 PP-26-CM5-ACS-01 CSCOacs_TACACS_Accounting 0000607119 1 0 2016-04-28 17:07:01.947 +08:00 0000342367 3300 NOTICE Tacacs-Accounting: TACACS+ Accounting with Command, ACSVersion=acs-5.6.0.22-B.225, ConfigVersionId=12, Device IP Address=172.22.23.22, CmdSet=[ CmdAV=no monitor session 1 destination interface FastEthernet 0 21 <cr> ], RequestLatency=0, Type=Accounting, Privilege-Level=1, Service=Login, User=admin, Port=tty1, Remote-Address=172.22.22.25, Authen-Method=TacacsPlus, AVPair=task_id=1067, AVPair=start_time=1461834421, AVPair=timezone=(HKT), AVPair=priv-lvl=15, AcctRequest-Flags=Stop, Service-Argument=shell, AcsSessionID=PP-26-CM5-ACS-01/250224432/26667, SelectedAccessService=Default Device Admin, Step=13006 , Step=15008 , Step=15004 , Step=15012 , Step=13035 , NetworkDeviceName=remote-sw2, NetworkDeviceGroups=Device Type:All Device Types:HK_Cisco_Switch, NetworkDeviceGroups=Location:All Locations:DR, Response={Type=Accounting; AcctReply-Status=Success; }

0 Likes
3 REPLIES 3

TravisGrosch
Beginner
Beginner

‎2016-05-04 10:52 AM

Owen,

Not sure what version you are using, but 10.6 allows you to use the basic rule. When you build the condition there is a check box for array.Just that on the meta that is currently in an array.

 

(isOneOfIgnoreCase(action,{ 'monitor session' }) AND device_type .toLowerCase() IN ( 'ciscosecureacs' )) is the output from using basic. That should work for you.

0 Likes

OwenCheng
Beginner
Beginner
In response to TravisGrosch

‎2016-05-05 01:14 AM

10.4 is using. I tried your statement. No syntax error, but not able to sync up to ESA.

 

Got java.util.concurrent.ExecutionException: java.lang.illegalAurgementException: Esper deployment of module

0 Likes

DavidWaugh1
Employee
Employee

‎2016-05-06 03:37 AM

Hello,

 

I tried out the syntax on the Esper Tryout Page and it worked: (EsperTech Esper EPL Online )

 

In the EPL Module Text I entered:

create schema Event(device_type string,action string[]);

@Name('Out') select * from Event;

@Name('Result') SELECT * FROM Event WHERE action.anyOf(i => i.toLowerCase().contains("monitor") and device_type IN ('ciscosecureacs'))

 

In the Time and Event Sequence I entered:

Event={device_type='ciscosecureacs', action=eval("{'[ cmdav=no monitor session 1 destination interface fastethernet 0 21 <cr>','POST'}")  }

 

In my Scenario Results I got:

 

At: 2001-01-01 08:00:00.000

  • Statement: Out
    • Insert
      • Event={device_type='ciscosecureacs', action=['[ cmdav=no monitor session 1 destination interface fastethernet 0 21 <cr>','POST']}
  • Statement: Result
    • Insert
      • Event={device_type='ciscosecureacs', action=['[ cmdav=no monitor session 1 destination interface fastethernet 0 21 <cr>','POST']}

 

This means that the rule should be firing.

 

I would open a support case as this looks to be some sort of bug with the ESPER engine. Mention this thread in the support case.

 

esper.jpg

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.