ESA - Wildcard in String Array

Discussion created by Joe Gumke on Feb 21, 2017
Latest reply on Feb 22, 2017 by Joe Gumke

Like • Show 0 Likes0
Comment • 11

We have a need to look for wildcard matches in a string array within an ESA correlation alert.

I can get the string value to match using the syntax below, but need to get a wildcard match as we need to see matches of domains that match prior to this value.

Syntax for static match of 'maliciousdomain'. Need to get a wildcard to match anything before 'maliciousDomain'.

@Description('')
@RSAAlert(oneInSeconds=0)

        SELECT * FROM Event(
            medium = 1
            AND ('maliciousDomain' = ALL( alias_host )));

Outcomes

11 Replies

Christopher Ahearn Feb 21, 2017 1:55 PM
Do you mean something like "bad.maliciousdomain.com" or "really.bad.maliciousdomain.com" ?
Like • Show 0 Likes0
Actions
- Joe Gumke @ Christopher Ahearn on Feb 21, 2017 1:58 PM
  Hey chris,
  
  Yes sir.
  Anything that ends with "maliciousdomain.com", or "*maliciousdomain.com"
  Like • Show 0 Likes0
  Actions
Lee Kirkpatrick Feb 22, 2017 6:25 AM
Hey Joseph,

For this, you would need to use a lambda expression like the below to iterate through the elements in the array:-

SELECT * from Event(alias_host.AnyOf(a=> a.toLowerCase().contains('maliciousdomain')))

I added the java.lang.String Method toLowerCase() to make the match case insensitive but you can remove if it is not necessary.

This syntax can also be edited to use any operator, e.g.:-

SELECT * from Event(alias_host.AnyOf(a=> a LIKE '%maliciousdomain.com'))

Cheers,
Lee
Like • Show 0 Likes0
Actions
- Joe Gumke @ Lee Kirkpatrick on Feb 22, 2017 8:03 AM
  thanks lee. I tried both variations of what you had posted above, and both do not work.
  Like • Show 0 Likes0
  Actions
  - Lee Kirkpatrick @ Joe Gumke on Feb 22, 2017 8:47 AM
    Hey Joseph,
    
    Are you able to post the whole EPL rule so I may take a look?
    
    Cheers,
    Lee
    Like • Show 0 Likes0
    Actions
    - Joe Gumke @ Lee Kirkpatrick on Feb 22, 2017 8:51 AM
      Hi Lee,
      
      this is it:
      
              @Description('')
              @RSAAlert(oneInSeconds=0)
      
      SELECT * from Event(
             medium = 1
             AND alias_host.AnyOf(a=> a LIKE '%maliciousDomain.com'));
      Like • Show 0 Likes0
      Actions
      - Lee Kirkpatrick @ Joe Gumke on Feb 22, 2017 9:09 AM
        Thanks.
        
        Was the issue the rule did not deploy? Or that the rule did not alert when deployed?
        Like • Show 0 Likes0
        Actions
        Joe Gumke @ Lee Kirkpatrick on Feb 22, 2017 9:12 AM
        Hi Lee,
        
        The rule deploys onto the ESA just fine, it's that the rule does not fire properly when injecting packets.
        Like • Show 0 Likes0
        Actions
        Lee Kirkpatrick @ Joe Gumke on Feb 22, 2017 10:55 AM
        Hey Joseph,
        
        The ESA is treating alias_host as a vector, the lambda expression I gave you is for arrays and why it did not work, my apologies.
        
        The best method I can think of right now is casting the vector into a string and performing a contains operation against it:-
        
        SELECT *, cast(alias_host, string) as Hostname FROM Event(
        cast(alias_host, string).toLowerCase().contains('maliciousdomain.com'))
        
        Cheers,
        Lee
        Like • Show 0 Likes0
        Actions
        Joe Gumke @ Lee Kirkpatrick on Feb 22, 2017 12:21 PM
        thanks lee ! works like a charm!
        1 person found this helpful
        Like • Show 0 Likes0
        Actions
Christopher Ahearn Feb 22, 2017 7:37 AM
Another way to do this would be outside of ESA entirely. You could create application rules on your packet decoders that specifically look for the domain of interest.

name=maliciousdomain rule="alias.host ends 'maliciousdomain.com'" alert=alert type=application

Then, just have ESA look for alert = 'maliciousdomain' since it will already be meta at that point.

You could also look for the root host for any and all sessions where alias.host is populated. I wrote a parser to help with that. The purpose being that if I wanted to exclude any domain, I could. This uses a custom meta key called 'root.host', so an index change on the concentrators would be needed if you wanted to query against it.

The parser works by performing a meta callback against 'alias.host' and then examining the location of all the dots in the hostname. It then compares the last position against the TLD's listed in a table and then moves to the left if found.

Since this is just performing a meta callback, it can work on both packet and log decoders.

Chris
Attachments
- rootdomain_20160908.lua.zip4.8 KB
Like • Show 0 Likes0
Actions

ESA - Wildcard in String Array

Outcomes

Attachments

Related Content

Recommended Content