I am trying my hand at advanced EPL by making an update to one of the RSA ESA Live rules and need some help understanding why it will not deploy.
The "Download of PDF File Followed by Download of EXE File" seems like it might work, but it is constantly firing because it is picking up traffic from my NAT addresses and handling them as if they are from the same source. I copied the rule to customize it. Since, I am using the traffic_flow parser and have my NAT addresses as specified as "nat". I want to add the condition netname != 'nat src'. When I try to add the condition it disables the rule and will not deploy it. The syntax checks out fine. Can anyone provide insight or an alternative way to do this?
Here is my change to the original:
Description: Download of PDF file followed by download of EXE file within 5 minutes. This is indicative of a two-stage malware dropper where scripting code in a container file, PDF in this scenario, results in a request of a download of malware.
SELECT * FROM Event(
// ADD THE netname EXLUSION HERE
netname IS NOT NULL AND (
/* Statement: Download PDF File */
(medium = 1 AND filetype.toLowerCase() = 'pdf')
/* Statement: Download EXE File */
(medium = 1 AND filetype.toLowerCase() IN ( 'windows_executable' , 'x86 pe' , 'windows executable' ))
) // Added for netname exclusion
PARTITION BY ip_src
MEASURES E1 as e1_data , E2 as e2_data
PATTERN (E1+ E2)
E1 as (E1.filetype.toLowerCase() IN ( 'pdf' ) AND E1.medium IN ( 1 )),
E2 as (E2.filetype.toLowerCase() IN ( 'windows_executable' , 'x86 pe' , 'windows executable' ) AND E2.medium IN ( 1 ))