Skip to content

Allow inserting static decoder in rules description#397

Merged
albertomn86 merged 2 commits intomasterfrom
dev-static-field-comment
Feb 16, 2018
Merged

Allow inserting static decoder in rules description#397
albertomn86 merged 2 commits intomasterfrom
dev-static-field-comment

Conversation

@vikman90
Copy link
Member

@vikman90 vikman90 commented Feb 15, 2018

This PR allows static field substitution in rule comments.

If a field does not exist or it's empty, the parameter will be deleted.

Example

Decoder:

<decoder name="demo">
  <prematch>^demo: </prematch>
  <program_name>myapp</program_name>
  <regex offset="after_prematch">^(\S+) (\S+) (\S+) (\S+) (\S+)</regex>
  <order>srcip,action,item,url,arg</order>
</decoder>

Rule:

<rule id="100001" level="5">
  <decoded_as>demo</decoded_as>
  <description>srcip=$(srcip), action=$(action), item=$(item), url=$(url), dstip=$(dstip), fz=$(fz), k=$k</description>
</rule>

Alert example:

Feb 16 14:00:00 localhost myapp: demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5


**Phase 1: Completed pre-decoding.
       full event: 'Feb 16 14:00:00 localhost myapp: demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5'
       timestamp: 'Feb 16 14:00:00'
       hostname: 'localhost'
       program_name: 'myapp'
       log: 'demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5'

**Phase 2: Completed decoding.
       decoder: 'demo'
       srcip: '1.2.3.4'
       action: 'insert'
       item: 'tuple'
       url: 'http://example.com'
       arg: '2.3.4.5'

**Phase 3: Completed filtering (rules).
       Rule id: '100001'
       Level: '5'
       Description: 'srcip=1.2.3.4, action=insert, item=tuple, url=http://example.com, dstip=, fz=, k=$k'
**Alert to be generated.

@vikman90 vikman90 requested a review from albertomn86 February 15, 2018 22:14
@albertomn86
Copy link
Contributor

albertomn86 commented Feb 16, 2018

Output before apply this patch:

Feb 16 14:00:00 localhost myapp: demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5


**Phase 1: Completed pre-decoding.
       full event: 'Feb 16 14:00:00 localhost myapp: demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5'
       timestamp: 'Feb 16 14:00:00'
       hostname: 'localhost'
       program_name: 'myapp'
       log: 'demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5'

**Phase 2: Completed decoding.
       decoder: 'demo'
       srcip: '1.2.3.4'
       action: 'insert'
       item: 'tuple'
       url: 'http://example.com'
       arg: '2.3.4.5'

**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '5'
       Description: 'srcip=$(srcip), action=$(action), item=tuple, url=$(url), dstip=$(dstip), fz=$(fz), k=$k'

After apply the patch:

Feb 16 14:00:00 localhost myapp: demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5


**Phase 1: Completed pre-decoding.
       full event: 'Feb 16 14:00:00 localhost myapp: demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5'
       timestamp: 'Feb 16 14:00:00'
       hostname: 'localhost'
       program_name: 'myapp'
       log: 'demo: 1.2.3.4 insert tuple http://example.com 2.3.4.5'

**Phase 2: Completed decoding.
       decoder: 'demo'
       srcip: '1.2.3.4'
       action: 'insert'
       item: 'tuple'
       url: 'http://example.com'
       arg: '2.3.4.5'

**Phase 3: Completed filtering (rules).
       Rule id: '100002'
       Level: '5'
       Description: 'srcip=1.2.3.4, action=insert, item=tuple, url=http://example.com, dstip=, fz=, k=$k'
**Alert to be generated.

@albertomn86 albertomn86 merged commit 2422dfb into master Feb 16, 2018
@albertomn86 albertomn86 deleted the dev-static-field-comment branch February 16, 2018 02:56
@vikman90 vikman90 added the type/enhancement New feature or request label Jun 7, 2018
@vikman90 vikman90 mentioned this pull request Sep 24, 2018
Closed
8 tasks
@albertomn86 albertomn86 mentioned this pull request Nov 23, 2018
Closed
16 tasks
Darioortegaleyva pushed a commit that referenced this pull request Feb 6, 2026
@cristgl @chemamartinez
Fix Microsoft Antimalware and Eventlog events channels (#397)
9b41228
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@albertomn86 albertomn86 Awaiting requested review from albertomn86

Assignees

@albertomn86 albertomn86

Labels

type/enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vikman90 @albertomn86