2014-03-19 02:55 PM
For example, Rule Test with the following query :
device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr = "13.101.134.216"
returns 12 values. However, Rule Test with the following query (same exact time range):
device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr begins "13.101."
returns "No Values Available For The Rule."
2014-03-19 07:27 PM
In 9.8 at least, it doesn't appear that "begins" is a valid comparison operator for ip.src, ip.dst, or ip.addr -- the only comparison options are =, !=, exists, and !exists.
You can do VLSM "equality" matches against the IP-based fields which you could use to accomplish the same result:
ip.src = 13.101.0.0/16
As an aside, I've also heard it suggested that the use of ip.addr may not always work the way you would expect and that it's better to use ip.src and/or ip.dst (i.e. ip.src=1.2.3.4 || ip.dst=1.2.3.4 if you want to match either address), but perhaps one of the official RSA folk can speak to whether there is truth in that.
2014-03-20 01:30 AM
is there any document talking about all the syntax?
2014-03-20 01:42 AM
What about 'contains'?
2014-03-20 01:47 PM
Thank you for your response Patriot3w. I found no documentation regarding
syntax within the SA docs site (sadocs.emc.com) nor did I find any in
SCOL.
John D. Hahn
Rockwell Automation
( Phone: (414) 382-4794
( Cell: (414) 469-3187
LISTEN. THINK. SOLVE.
2014-03-20 01:48 PM
Thanks for your response Hubba900. I just tried your suggestion, and
"Contains" produces the same result as "begins". Thank you.
John D. Hahn
Rockwell Automation
( Phone: (414) 382-4794
( Cell: (414) 469-3187
LISTEN. THINK. SOLVE.
2014-03-20 03:00 PM
I guess at this time 'contains' not work in rules, for example at version 10.3.2. I tried find syntax too and not find... but I think 'contains 13.101.' or 'contains "13.101."' is correct syntax.
2014-03-20 03:24 PM
Hi Doug,
I think you have the answer! I tested the following:
device.type = "symantecav" && event.cat.name ="Attacks.Malicious
Code.Virus" && ip.addr = "xx.xxx.xx.0/24"
(Noting the "x"s for thread anonymity)
and received the result I expected. Looks like CIDR notation is the answer
for equality. Thank you for your help!
John D. Hahn
Rockwell Automation
( Phone: (414) 382-4794
( Cell: (414) 469-3187
LISTEN. THINK. SOLVE.
2014-03-20 03:28 PM
If you want to use a single rule to detect hits from a multitude of sources within a netblock, the rule should be:
device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr=13.101.0.0/16
The data in the IP.addr keys are not in text format, which might explain the vagaries of using text related search parameters like begins and contains.
2014-03-21 12:46 AM
Hey John,
In case if you want to go with single rule, you can also use custom drill
It can help you with:-
1. Provides direct drilling when multiple events are known for a desired
session
2. Allows logical OR drill not possible via click and pivot operations
As far as Syntax for comparison operators are concerned - Begin / end /
Contains has the same syntax name. Please find the below syntax and its
description.
1. begins -Check for value matches beginning on the left side of the
meta field
2. ends - Check for value matches beginning on the right side of the
meta field
3. contains - Check for value matches against the entire meta field
I am still in process to test the above comparison operators so still
unsure.