NetWitness Community

Anonymous · ‎2014-03-19

For example, Rule Test with the following query :

device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr = "13.101.134.216"

returns 12 values. However, Rule Test with the following query (same exact time range):

device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr begins "13.101."

returns "No Values Available For The Rule."

RSAAdmin · ‎2014-03-19

In 9.8 at least, it doesn't appear that "begins" is a valid comparison operator for ip.src, ip.dst, or ip.addr -- the only comparison options are =, !=, exists, and !exists.

You can do VLSM "equality" matches against the IP-based fields which you could use to accomplish the same result:

ip.src = 13.101.0.0/16

As an aside, I've also heard it suggested that the use of ip.addr may not always work the way you would expect and that it's better to use ip.src and/or ip.dst (i.e. ip.src=1.2.3.4 || ip.dst=1.2.3.4 if you want to match either address), but perhaps one of the official RSA folk can speak to whether there is truth in that.

huanzhou1 · ‎2014-03-20

is there any document talking about all the syntax?

Anonymous · ‎2014-03-20

What about 'contains'?

Anonymous · ‎2014-03-20

Thank you for your response Patriot3w. I found no documentation regarding

syntax within the SA docs site (sadocs.emc.com) nor did I find any in

SCOL.

John D. Hahn

Rockwell Automation

( Phone: (414) 382-4794

( Cell: (414) 469-3187

LISTEN. THINK. SOLVE.

Anonymous · ‎2014-03-20

Thanks for your response Hubba900. I just tried your suggestion, and

"Contains" produces the same result as "begins". Thank you.

John D. Hahn

Rockwell Automation

( Phone: (414) 382-4794

( Cell: (414) 469-3187

LISTEN. THINK. SOLVE.

Anonymous · ‎2014-03-20

I guess at this time 'contains' not work in rules, for example at version 10.3.2. I tried find syntax too and not find... but I think 'contains 13.101.' or 'contains "13.101."' is correct syntax.

Anonymous · ‎2014-03-20

Hi Doug,

I think you have the answer! I tested the following:

device.type = "symantecav" && event.cat.name ="Attacks.Malicious

Code.Virus" && ip.addr = "xx.xxx.xx.0/24"

(Noting the "x"s for thread anonymity)

and received the result I expected. Looks like CIDR notation is the answer

for equality. Thank you for your help!

John D. Hahn

Rockwell Automation

( Phone: (414) 382-4794

( Cell: (414) 469-3187

LISTEN. THINK. SOLVE.

RSAAdmin · ‎2014-03-20

If you want to use a single rule to detect hits from a multitude of sources within a netblock, the rule should be:

device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr=13.101.0.0/16

The data in the IP.addr keys are not in text format, which might explain the vagaries of using text related search parameters like begins and contains.

Anonymous · ‎2014-03-21

Hey John,

In case if you want to go with single rule, you can also use custom drill

It can help you with:-

1. Provides direct drilling when multiple events are known for a desired

session

2. Allows logical OR drill not possible via click and pivot operations

As far as Syntax for comparison operators are concerned - Begin / end /

Contains has the same syntax name. Please find the below syntax and its

description.

1. begins -Check for value matches beginning on the left side of the

meta field

2. ends - Check for value matches beginning on the right side of the

meta field

3. contains - Check for value matches against the entire meta field

I am still in process to test the above comparison operators so still

unsure.

NetWitness Community

What is the syntax for the 'begin' operator in a Rule clause?