For example, Rule Test with the following query :
device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr = "13.101.134.216"
returns 12 values. However, Rule Test with the following query (same exact time range):
device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr begins "13.101."
returns "No Values Available For The Rule."
is there any document talking about all the syntax?
Thank you for your response Patriot3w. I found no documentation regarding
syntax within the SA docs site (sadocs.emc.com) nor did I find any in
SCOL.
John D. Hahn
Rockwell Automation
( Phone: (414) 382-4794
( Cell: (414) 469-3187
LISTEN. THINK. SOLVE.
What about 'contains'?
Thanks for your response Hubba900. I just tried your suggestion, and
"Contains" produces the same result as "begins". Thank you.
John D. Hahn
Rockwell Automation
( Phone: (414) 382-4794
( Cell: (414) 469-3187
LISTEN. THINK. SOLVE.
I guess at this time 'contains' not work in rules, for example at version 10.3.2. I tried find syntax too and not find... but I think 'contains 13.101.' or 'contains "13.101."' is correct syntax.
Hi Doug,
I think you have the answer! I tested the following:
device.type = "symantecav" && event.cat.name ="Attacks.Malicious
Code.Virus" && ip.addr = "xx.xxx.xx.0/24"
(Noting the "x"s for thread anonymity)
and received the result I expected. Looks like CIDR notation is the answer
for equality. Thank you for your help!
John D. Hahn
Rockwell Automation
( Phone: (414) 382-4794
( Cell: (414) 469-3187
LISTEN. THINK. SOLVE.
If you want to use a single rule to detect hits from a multitude of sources within a netblock, the rule should be:
device.type = "winevent_nic" && alert.id = "access:privilege-escalation-success" && ip.addr=13.101.0.0/16
The data in the IP.addr keys are not in text format, which might explain the vagaries of using text related search parameters like begins and contains.
Hey John,
In case if you want to go with single rule, you can also use custom drill
It can help you with:-
1. Provides direct drilling when multiple events are known for a desired
session
2. Allows logical OR drill not possible via click and pivot operations
As far as Syntax for comparison operators are concerned - Begin / end /
Contains has the same syntax name. Please find the below syntax and its
description.
1. begins -Check for value matches beginning on the left side of the
meta field
2. ends - Check for value matches beginning on the right side of the
meta field
3. contains - Check for value matches against the entire meta field
I am still in process to test the above comparison operators so still
unsure.
I see. Thank you Fielder.
In 9.8 at least, it doesn't appear that "begins" is a valid comparison operator for ip.src, ip.dst, or ip.addr -- the only comparison options are =, !=, exists, and !exists.
You can do VLSM "equality" matches against the IP-based fields which you could use to accomplish the same result:
ip.src = 13.101.0.0/16
As an aside, I've also heard it suggested that the use of ip.addr may not always work the way you would expect and that it's better to use ip.src and/or ip.dst (i.e. ip.src=1.2.3.4 || ip.dst=1.2.3.4 if you want to match either address), but perhaps one of the official RSA folk can speak to whether there is truth in that.