Angela Stranahan

Does ESA Support Regular Expressions?

Blog Post created by Angela Stranahan Employee on Oct 11, 2016

What is the syntax and supported functions of regular expressions within ESA?

 

The regular expression syntax supported in ESA is through the java.util.regex API and is most similar to that found in Perl.  There are regular expression tools, such as Regex Buddy, that allow validation of the syntax according to the flavor of regular expression you are writing – including Java.  To see the supported functions within java.util.regex, see the online tutorial or description in the Pattern class documentation.  The language supports more complex concepts such as lookahead and lookbehind. 

 

An expression for NeutrinoEK shown below would be supported since the API implements concepts such as capture groups, boundary matching, quantifiers, character classes and lookaheads.

 

^http:\/\/(?!www|jobs?)[a-z0-9\-]{4,32}\.[a-z0-9\-]{4,32}\.[^\x2f]+\/(?!news|people|includes?|company)[a-z]{3,12}\/(?:[a-z]{3,12}\-){1,5}[0-9]{8}(?:\.swf)?$ Juan Figuera, 2016-06-21, NeutrinoEK Landing pattern 2. Thanks Keith Faber for extra samples. Validated by Michelle Ticer.

 

References:

https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html

 

https://docs.oracle.com/javase/tutorial/essential/regex/intro.html

 

Are there expressions to detect DGA?

 

Within the current shipping product, the TLD Lua parser will populate within the meta key risk.suspicious the value ‘hostname consecutive consonants’.  This is employing a regular expression that looks within the meta ‘alias.host’ for either a) 5 or more consecutive consonants or b) two groups of 4 consecutive consonants.  This pattern is commonly found output from a DGA.    Deploy the TLD Lua parser from Live and write an ESA rule against the meta value as follows:

 

@RSAAlert

select * from Event

(

risk_suspicious = ‘hostname consecutive consonants’

)

 

Alternatively, if you did not want to use the Lua parser you could match the regular expression directly in ESA for either 5 or more consecutive consonants or two groups of 4 consecutive consonants.  An example:

 

@RSAAlert

select * from Event

(

alias_host regexp ' [BbCcDdFfGgHhJjKkLlMmNnPpQqRrSsTtVvWwXxYyZz]{5,}'

or

alias_host regexp '[BbCcDdFfGgHhJjKkLlMmNnPpQqRrSsTtVvWwXxYyZz]{4}.+[BbCcDdFfGgHhJjKkLlMmNnPpQqRrSsTtVvWwXxYyZz]{4}'

)

 

There is a post in the community on RSA Link that shows a plugin to ESA to calculate entropy in order to detect DGAs.  This can also be accomplished in a Lua parser.

 

https://community.rsa.com/community/products/netwitness/blog/2016/09/26/shannon-have-you-seen-my-entropy

 

Outcomes