AnsweredAssumed Answered

Need help with advanced EPL for ESA

Question asked by Dion Stempfley on Jul 28, 2017
Latest reply on Jul 28, 2017 by Dion Stempfley

I am trying my hand at advanced EPL by making an update to one of the RSA ESA Live rules and need some help understanding why it will not deploy.

 

The "Download of PDF File Followed by Download of EXE File" seems like it might work, but it is constantly firing because it is picking up traffic from my NAT addresses and handling them as if they are from the same source.  I copied the rule to customize it.  Since, I am using the traffic_flow parser and have my NAT addresses as specified as "nat".  I want to add the condition netname != 'nat src'.  When I try to add the condition it disables the rule and will not deploy it.  The syntax checks out fine.  Can anyone provide insight or an alternative way to do this?

 

Here is my change to the original:

 

/*
Description: Download of PDF file followed by download of EXE file within 5 minutes. This is indicative of a two-stage malware dropper where scripting code in a container file, PDF in this scenario, results in a request of a download of malware.

Version: 1
*/

module Module_a6616be4_8f4d_4b94_93f1_fe46fcd68e96;


@Name('Module_a6616be4_8f4d_4b94_93f1_fe46fcd68e96_Alert')
@RSAAlert(oneInSeconds=0, identifiers={"ip_src"})

SELECT * FROM Event(

 

// ADD THE netname EXLUSION HERE

netname IS NOT NULL AND (

 

/* Statement: Download PDF File */
(medium = 1 AND filetype.toLowerCase() = 'pdf')
OR
/* Statement: Download EXE File */
(medium = 1 AND filetype.toLowerCase() IN ( 'windows_executable' , 'x86 pe' , 'windows executable' ))

 

)  // Added for netname exclusion

 

).win:time(300 seconds)
MATCH_RECOGNIZE (
PARTITION BY ip_src
MEASURES E1 as e1_data , E2 as e2_data
PATTERN (E1+ E2)
DEFINE
E1 as (E1.filetype.toLowerCase() IN ( 'pdf' ) AND E1.medium IN ( 1 )),
E2 as (E2.filetype.toLowerCase() IN ( 'windows_executable' , 'x86 pe' , 'windows executable' ) AND E2.medium IN ( 1 ))
);

 

 

/Dion

Outcomes