AnsweredAssumed Answered

How do I enter an IP range in EPL using RegEx?

Question asked by Hidayat Lal Baz on Apr 11, 2018
Latest reply on Jul 12, 2019 by Josh Randall

Like • Show 0 Likes0
Comment • 9

Hello everybody,

I hope you can help me out.
I have created a rule in EPL that should trigger whenever the corresponding event occurs in one of the metafields. I would also like to receive an alarm if a certain IP range occurs. In order not to list the entire IP range, I would like to use RegExp here. Can either of you tell me how to integrate RegExp into my rule?

My code looks like this, but unfortunately I get a syntax error:

SELECT * FROM
Event(
medium = 32 AND
ec_activity = 'Logon' AND
ec_theme = 'Authentication' AND
ec_outcome = 'Failure' AND
result = 'failed publickey' AND

(matchRegex(device_ip, "(10\.169\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))")) AND
user_dst IS NOT NULL AND
host_src IS NULL
).std:groupwin(user_dst_hash , device_ip , device_host).win:time_length_batch(120 seconds, 3) GROUP BY user_dst_hash , device_ip , device_host HAVING COUNT(*) = 3;

No one else has this question

Outcomes

9 Replies

Jeff Shurtliff Apr 11, 2018 9:29 AM
Mark Correct
Correct Answer
Hi Hidayat,

I have moved this thread to the RSA NetWitness Platform so that you can get an answer to your question.

You can post future questions and discussions directly to that community by clicking on the Ask a Question or Start a Discussion button on the RSA NetWitness Platform page.

Thanks,
Jeff
Like • Show 1 Like1
Actions
Josh Randall Apr 11, 2018 12:54 PM
Mark Correct
Correct Answer
Hi Hidayat,

You are looking to match against anything in the 10.169.0.0/16 range, yes?

One issue with your match statement - it will not match against the full 0-255 range in the last octet, only against the first digit in the octet.

For example:

10.169.255.1 à this would match fully

10.169.255.100 à this would match only to "10.169.255.1”

10.169.255.255 à this would match only to "10.169.255.2”

You can fix this by either adding string beginning (^) and string end ($) tokens to your regex:

            (^10\.169\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$)

Or by using a different regex that does not need them:

            (10\.169\.[0-9]{1,3}\.[0-9]{1,3})

A second potential issue I see with the rule is that you are grouping by user_dst_hash. If you have not set up data obfuscation on the user.dst meta key, then user.dst.hash meta will not be available for ESA. I'd recommend you double-check that meta is available in ESA.

Lastly - if you want to group by distinct user.dst values, you could change your grouping statement to:

            .std:groupwin(device_ip , device_host).win:time_length_batch(120 seconds, 3).std:unique(user_dst) GROUP BY device_ip , device_host HAVING COUNT(*) = 3

Let us know if this works for you.
1 person found this helpful
Like • Show 1 Like1
Actions
- Hidayat Lal Baz @ Josh Randall on Apr 18, 2018 7:30 AM
  Mark Correct
  Correct Answer
  Hi Joshua,
  I was very grateful for your quick support, thank you very much.
  Your help was great, the EPL-"compiler" doesn't report a syntax error anymore. Right now, I'm testing to see if the rule works.
  Kind regards
  Hidayat
  Like • Show 1 Like1
  Actions
- Hidayat Lal Baz @ Josh Randall on Apr 19, 2018 10:39 AM
  Mark Correct
  Correct Answer
  Hi Joshua,
  everything's working fine. Thanks for the help.
  Like • Show 1 Like1
  Actions
- Deepak Shukla @ Josh Randall on Jul 12, 2019 10:51 AM
  Mark Correct
  Correct Answer
  Hi Joshua,
  
  Just to test the internal traffic, have created below, rule is saved but not thoroughing any alert. Don't know what's wrong here. Your suggestions will be highly appreciated!
  
  @Name('test-internal')
  @RSAAlert(oneInSeconds=0)
  SELECT * FROM Event
  (
  device_class IS NOT NULL
  AND (matchRegex(ip_src, "(10\.[0-9]{1,3}|172\.(3[01]|2[0-9]|1[6-9])|192\.168)\.[0-9]{1,3}\.[0-9]{1,3})"))
  AND (matchRegex(ip_dst, "(10\.[0-9]{1,3}|172\.(3[01]|2[0-9]|1[6-9])|192\.168)\.[0-9]{1,3}\.[0-9]{1,3})"))
  )
  .std:groupwin(ip_src, ip_dst)
  .win:time_length_batch(60 seconds, 200)
  GROUP BY ip_src, ip_dst
  ;
  Like • Show 0 Likes0
  Actions
  - Josh Randall @ Deepak Shukla on Jul 12, 2019 1:53 PM
    Mark Correct
    Correct Answer
    Hi Deepak,
    I highly recommend https://regex101.com/. I think I’ve used that tool for pretty much every single regex I’ve ever written.
    
    A simple copy/paste of your matchRegex statements into regex101 shows that you have an unmatched parenthesis at the end of each:
    
    This is caused by a right parenthesis ")" in the middle of your regex (after the 192\.168\.) that should not be there.
    
    That said, I'll echo what John Snider says below about using feeds and/or app rules and/or the traffic_flow_options.lua file to tag your ip ranges with meta and use that meta in your ESA rules. Let your decoders do as much of the heavy lifting as you can.
    Like • Show 0 Likes0
    Actions
Sravan Koneti Apr 12, 2018 12:43 AM
Mark Correct
Correct Answer
On top of Jashua's recommendations.

Interpreting Regex for IP range document might help on ip regex for EPL.
1 person found this helpful
Like • Show 1 Like1
Actions
- Hidayat Lal Baz @ Sravan Koneti on Apr 18, 2018 7:31 AM
  Mark Correct
  Correct Answer
  Hi Sravan,
  thanks for your help and the nice tip.
  Kind regards
  Hidayat
  Like • Show 0 Likes0
  Actions
John Snider Jul 12, 2019 1:23 PM
Mark Correct
Correct Answer
Though not an answer for using regex for an IP range in EPL, I highly suggest tagging any IP ranges using either a Feed or Application Rule on the Decoders (Log, Network or Endpoint), some of this may already be done if you have configured the traffic_flow_options.lua file to recognize your internal networks, they would then be tagged in both the 'netname' key buy "name src" or "name dst" and the 'direction' key for "inbound","outbound", & "lateral"

Let the decoders do the heavy lifting instead of making complex regex like queries in EPL, it's more efficient.
Like • Show 0 Likes0
Actions

How do I enter an IP range in EPL using RegEx?

Outcomes

Related Content

Recommended Content