cancel
Showing results for 
Search instead for 
Did you mean: 

ASP Rule not triggering

The datasource is a Fortinanalyzer which is bringing us an Application Control event, below i detail the package of the event that we use as an example:

<190> date = 2018-10-01 time = 15: 19: 23 devname = FW-TRAFSEG-01 devid = FG-5KD3915800565 logid = 1059028704 type = utm subtype = app-ctrl eventtype = app-ctrl-all level = information vd = "REF1007585" appid = 15895 user = "I_CORTE" srcip = xxx.xxx.xxx.xxx srcport = 40970 srcintf = "vl2191in" dstip = xx.xxx.xxx.xxxdstport = 443 dstintf = "vl2190out" proto = 6 service = "HTTPS" policyid = 84 sessionid = 2642409682 applist = "Block_app_redes_sociales" appcat = "Network.Service" app = "SSL" action = pass msg = "Network.Service: SSL," apprisk = elevated

Based on this package I generated a parsing rule with the following regular expression:

 date = (\ S *). + time = (\ S *). + logid = (\ S *). + subtype = (app-ctrl). + vd = (\ S *). + user = \ "( \ S * | \ S *. \ S *) \ ". + Srcip = (\ S *). + Srcport = (\ S *). + Dstip = (\ S *). + Dstport = (\ S *) . + service = (\ S *). + sessionid = (\ S *). + appcat = \ "(\ S *) \". + app = \ "(\ S *) \". + action = (\ S *). + (Hostname = \ "(\ S *) \". + Url = \ "(\ S *) \". +)? Apprisk = (\ S *)

tried the same with the sample log data which matches the paquet:

InkedRegla de Parseo_LI.jpg

 

I assign the same to the desired datasource and it is under the Signature ID 5000037:

Signature ID.PNG

 

I roll out the policy to the associated datasource and run the task so that it brings me the new events, but the events that should parse under the new ASP rule do not make it, but parse under a Data source rule  under the name APPLICATION-CONTROL:Sin título2.png

I perform a filter with the Sig ID 5000037 of the events of the last 30 minutes (after doing a pull of datasources events) but it does not bring me any events:

 

InkedEvent Sumary_LI.jpg

I understand that these are the steps to generate a new ASP rule, but it is not working: /.

What i´m doing wrong?

Thanks for your time!

 

 

Labels (2)
Tags (1)
1 Reply
Highlighted
McAfee Employee mherr
McAfee Employee
Report Inappropriate Content
Message 2 of 2

Re: ASP Rule not triggering

It looks like there is an existing ASP for Application Control events.  The signature ID is 1025649.  On the parsing tab, you will see in the second text box "app-ctrl", which is in your sample event.  The second text box is like a pre-parser.  It looks for this content string and if it matches, it proceeds to the next step of trying to parse the event.  FN-app-ctrl.PNG

If you want your parser to take over, you will need to add this app-ctrl to your parser and also disable the built in parser and push out policy.   You may need to delete the auto-learned data source rules for the previous app control events. 

Additionally, you won't be able to do a filter with the signature ID from the parser.  That is just the parser ID.  Once you start parsing events, each event will be assigned a signature ID, such as 355-#########.   You can filter on that Signature ID, which will be in the data source rules.  

Is the default rule not working for you?  Is certain event data missing?  You can always copy and modify it to add additonal parsing to it.  

ePO Support Center Plug-in
Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.