AnsweredAssumed Answered

ESA rule -  left outer join and aggregation

Question asked by Uq1lws3RT39tp8reFD8y8NuuHaHt7KaBBIJDVDjgnPY= on May 22, 2016
Latest reply on Jan 9, 2018 by Utsav Sejpal

Hello all,

 

I have a advanced EPL rule to detect horizontal network scan which works fine.

 

module scan;


create constant variable string[] whitelist  = {
    '1.2.3.4',     /* exception 1*/
    '1.2.3.5',     /* exception 2 */
};


@Name('scan')
@RSAAlert(oneInSeconds=0, identifiers={"ip_src"})
SELECT * FROM Event (
        medium = 32
    AND 
        ip_src IS NOT NULL
    AND
        ip_dst IS NOT NULL
    AND
        ip_dstport IS NOT NULL
    AND
        ip_src NOT IN (whitelist)
).std:groupwin(ip_src, ip_dstport)
.std:unique(ip_dst)
.win:time_batch(60 seconds)
GROUP BY 
    ip_src, ip_dstport 
HAVING 
    count(ip_dst) >= 100;

 

 

Now, I would like to improve  the whitelisting to do the exclusion withlisting not only based on ip_src, but based on ip_src and the corresponding ip_dstport.

 

Ideally, I want to keep a simple statement of the whitelist like this:

create constant variable Object[] whitelist  = {
    {'1.2.3.4',80},     /* exception HTTP 1*/
    {'1.2.3.5',22}      /* exception SSH 2 */
};

 

What is the best way to achieve this?

Should I create a schema or a name windows or a hashmap and do a left outer join? (if yes, how to deal with aggregate and left outer join?)

Outcomes