This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Syntax Errors in Esper

Go to solution
JohnAbinashPaul
Beginner
Beginner

‎2019-08-19 08:09 AM

Hi Friends,

 

I am getting Getting Error in when i try to deploy below Esper Rule in ESA "unknown method Collection.toLowerCase()"  .Can anyone Help?

 

This happened after upgrade from 11.x to 11.3.1.0

 

 

Snippet:

 

@RSAAlert(oneInSeconds=0)
@Hint('reclaim_group_aged=100')

SELECT * FROM Event(
/* Statement: symantecav */
(device_type .toLowerCase() IN ( 'symantecav' ) AND isOneOfIgnoreCase(action,{ 'left alone' }))
OR
/* Statement: Fireeye */
(device_type .toLowerCase() IN ( 'fireeyewebmps' ) AND msg_id IN('malware-callback'))
OR
/* Statement: Upload */
(service IN ( 21 ) OR (risk_info .toLowerCase() IN ( 'file transport over unknown protocol' ) AND tcp_dstport IN (80))

)).win:time(10 Minutes)
MATCH_RECOGNIZE (

MEASURES E1 as e1_data , E2 as e2_data, E3 as e3_data
PATTERN (E1 E2 E3 E3 E3 E3)
DEFINE
E1 as (E1.device_type .toLowerCase() IN ( 'symantecav' ) AND isOneOfIgnoreCase(E1.action,{ 'left alone' })),
E2 as (E2.device_type .toLowerCase() IN ( 'fireeyewebmps' ) AND E2.msg_id IN('malware-callback')AND E2.ip_src = E1.ip_src),
E3 as ((E2.service IN ( 21 ) OR (E3.risk_info .toLowerCase() IN ( 'file transport over unknown protocol' )AND E3.tcp_dstport IN (80))) AND E3.ip_src = E2.ip_src)
);

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to JohnAbinashPaul

‎2019-08-19 10:01 AM

In the 2nd Alert syntax, the Meta key 'Alert' is an Array meta. So you should change its syntax to as 'risk_info' meta key.

Thanks
Mohammed Mustafa

View solution in original post

0 Likes
6 REPLIES 6

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor

‎2019-08-19 08:33 AM

Hello John,

 

The syntax for meta 'risk_info' should be written as 'isOneOfIgnoreCase(risk_info,{ 'file transport over unknown protocol' })' instead of 'risk_info .toLowerCase() IN ( 'file transport over unknown protocol' )'.

 

Because 'risk_info' is an Array meta key like the 'Action' meta key.

Thanks
Mohammed Mustafa
0 Likes

Go to solution
JohnAbinashPaul
Beginner
Beginner
In response to MohammedMustafa

‎2019-08-19 09:38 AM

Thanks a lot Mustafa.

 

For Below code i am getting Error "collection or array comparison not allowed for the IN , ANY, SOME or ALL Keywords". Could you help?

 

@Hint('reclaim_group_aged=900')
@Name('Module_568fb36ee4b07c86bd048008_Alert')
@Description('')
@RSAAlert(oneInSeconds=0)
SELECT * FROM
Event(
device_class in ('IDS','IPS', 'Intrusion', 'Vulnerability')
AND ip_src is not null
AND ip_dst is not null
AND ip_src NOT IN ('10.150.5.12', '10.150.5.182' , '10.150.5.183' , '10.108.26.232' , '10.108.26.234' , '10.108.26.236' , '10.108.26.238','10.150.19.89', '10.98.13.12', '10.98.140.139')
AND alert IN ('Intsrc')
AND policy_name is not null AND isNotOneOfIgnoreCase (policy_name, {'Default Intrusion Prevention', 'ARP: MAC Address Flip-Flop', 'Default_IPSPolicy', 'no rules active', 'cmdel-access-pol'})
).std:groupwin(ip_src).win:time_length_batch(1 Minutes, 20).std:unique(ip_dst) group by ip_src,policy_name having count(*) >= 20;

0 Likes

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to JohnAbinashPaul

‎2019-08-19 10:01 AM

In the 2nd Alert syntax, the Meta key 'Alert' is an Array meta. So you should change its syntax to as 'risk_info' meta key.

Thanks
Mohammed Mustafa
0 Likes

Go to solution
JohnAbinashPaul
Beginner
Beginner
In response to JohnAbinashPaul

‎2019-08-19 10:28 AM

Thanks a lot Mustafa for the timely Help. Is there a IDE kind of environment where we can check syntax errors before deploying?

0 Likes

Go to solution
MohammedMustafa
Frequent Contributor Frequent Contributor
Frequent Contributor
In response to JohnAbinashPaul

‎2019-08-20 05:00 AM

Hey John,

If you want to know which meta is a 'Array String' OR just a 'String'. Go to Configure -> ESA Rules -> Settings -> Meta Key References & in search bar type in the Meta name. If it shows up like String[], its an Array Meta & you will have to modify Alert Syntax accordingly. Hope it helps.

Thanks
Mohammed Mustafa
0 Likes

Go to solution
JohnAbinashPaul
Beginner
Beginner
In response to MohammedMustafa

‎2019-08-20 05:51 AM

Thanks Mustafa.

 

1.how can we change this "e3.user_dst LIKE e1.email_src" .its showing syntax error
and
2.how to modify this "threat_category NOT in ('WS.Reputation.1')". Its also showing syntax error

and

3. I am getting below error in esper "implicit conversion from string to boolean is not allowed"

 

module Module_5684c0c8e4b0e705dcb1287a;

 

@Name('Module_5684c0c8e4b0e705dcb1287a_Alert')
@Description('')
@RSAAlert(oneInSeconds=0)

SELECT * FROM PATTERN @SuppressOverlappingMatches [ every

e1= Event( device_type IN ( 'symantecav' ) AND ( 'Access Denied' = ANY( action ) OR 'Action Invalid' = ANY( action ) OR 'All Actions Failed' = ANY( action ) OR 'Excluded' = ANY( action ) OR 'Left Alone' = ANY( action ) OR 'Partially Repaired' = ANY( action ) OR 'Pending Repair' = ANY( action ) OR 'Process Terminated Pending Restart' = ANY( action ) OR 'Process Terminated' = ANY( action ) OR 'Suspicious' = ANY( action ) ))
-> 
e2=Event((device_type IN ( 'ciscoasa' ) AND (event_cat_name LIKE 'Network.Denied.%' OR event_cat_name LIKE 'Network.Connections.%' AND ip_src = e1.ip_src) OR (device_class IN ( 'Web Logs' ) AND host_src = e1.ip_src AND event_cat_name LIKE 'Content.Web Traffic.%')))
where timer:within(1 second)

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.