AnsweredAssumed Answered

Advanced EPL Rule DNS Enumeration

Question asked by Craig Cameron-Weir on Oct 9, 2018
Latest reply on Oct 17, 2018 by Craig Cameron-Weir

Like • Show 0 Likes0
Comment • 5

Looking for some help with an EPL rule.

The goal is to detect when a single client requests more than 275 unique A records for hosts in my AD domain within 5 minutes. The custom meta key dns_qtype is populated by an app rule that acts on logs produced by our name servers.

@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event(
 dns_qtype.toLowerCase() IN ('dns a') AND
 matchLike(alias_host, "%domain.local") AND
 ip_src IS NOT NULL
)

This expression matches all of the events (DNS A record queries for domain.local). What I don't know is how to achieve the threshold and grouping by source IP with only unique alias_host values (ie what combination of views is required). Note that alias_host is an array as well - I'm not sure if that changes the behavior of std:unique.

I've tried this a few different ways and none of them have worked - would appreciate some assistance.

Mohammed Mustafa

Oct 10, 2018 10:06 AM

Correct Answer

Hi Craig,

Try this out. I tested it with some log sample at my end.

@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event(
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL
).std:groupwin(ip_src).win:time_length_batch(5 minutes, 275).std:unique(alias_host)
group by ip_src
having count(*) = 275
;

See the reply in context

No one else had this question

Outcomes

Mohammed Mustafa

Oct 10, 2018 10:06 AM

Hi Craig,

Try this out. I tested it with some log sample at my end.

Actions

Mohammed Mustafa

@ Mohammed Mustafa on Oct 10, 2018 10:11 AM

I would also suggest not to keep higher time lengths, because ESA will be storing 275 events in memory for that entire time frame & it will affect the ESA memory.

Actions

Craig Cameron-Weir @ Mohammed Mustafa on Oct 10, 2018 1:06 PM

Thanks Mohammed - this worked exactly as expected. I can see that the rule is using about 13 MB of RAM on our ESA appliance as configured - that would get out of hand quick with a longer window.

Actions

Mohammed Mustafa

@ Craig Cameron-Weir on Oct 11, 2018 3:36 AM

Hi Craig,

In cases where you see alerts utilizing lot of memory it is recommended to write the Alerts using Named window technique.

In this link 'https://community.rsa.com/docs/DOC-80032' there is an example for it 'EPL #4: Using NamedWindows and match recognize' have a check.

Named Windows doesn't store entire events in memory, only the meta value that you are filtering.

Actions

Craig Cameron-Weir @ Mohammed Mustafa on Oct 17, 2018 1:14 PM

Thanks again, Mohammed - unfortunately I can't make sense of how I would apply that NamdedWindows example to my use case. Could you point me to better documentation, or help me understand how that would work with the example I posted above?

Actions

5 Replies

Mohammed Mustafa Oct 10, 2018 10:06 AM
Unmark Correct
Correct Answer
Hi Craig,

Try this out. I tested it with some log sample at my end.

@RSAAlert(oneInSeconds = 0)
SELECT *
FROM Event(
dns_qtype.toLowerCase() IN ('dns a') AND
matchLike(alias_host, "%domain.local") AND
ip_src IS NOT NULL
).std:groupwin(ip_src).win:time_length_batch(5 minutes, 275).std:unique(alias_host)
group by ip_src
having count(*) = 275
;
Like • Show 0 Likes0
Actions
- Mohammed Mustafa @ Mohammed Mustafa on Oct 10, 2018 10:11 AM
  Mark Correct
  Correct Answer
  I would also suggest not to keep higher time lengths, because ESA will be storing 275 events in memory for that entire time frame & it will affect the ESA memory.
  Like • Show 0 Likes0
  Actions
  - Craig Cameron-Weir @ Mohammed Mustafa on Oct 10, 2018 1:06 PM
    Mark Correct
    Correct Answer
    Thanks Mohammed - this worked exactly as expected. I can see that the rule is using about 13 MB of RAM on our ESA appliance as configured - that would get out of hand quick with a longer window.
    Like • Show 0 Likes0
    Actions
    - Mohammed Mustafa @ Craig Cameron-Weir on Oct 11, 2018 3:36 AM
      Mark Correct
      Correct Answer
      Hi Craig,
      In cases where you see alerts utilizing lot of memory it is recommended to write the Alerts using Named window technique.
      In this link 'https://community.rsa.com/docs/DOC-80032' there is an example for it 'EPL #4: Using NamedWindows and match recognize' have a check.
      Named Windows doesn't store entire events in memory, only the meta value that you are filtering.
      Like • Show 0 Likes0
      Actions
      - Craig Cameron-Weir @ Mohammed Mustafa on Oct 17, 2018 1:14 PM
        Mark Correct
        Correct Answer
        Thanks again, Mohammed - unfortunately I can't make sense of how I would apply that NamdedWindows example to my use case. Could you point me to better documentation, or help me understand how that would work with the example I posted above?
        Like • Show 0 Likes0
        Actions

Advanced EPL Rule DNS Enumeration

Outcomes

Related Content

Recommended Content