cancel
Showing results for 
Search instead for 
Did you mean: 

"contain" not available for command field while creating alarm

Hi All,

Cannot see the option to use "contain" for command field for any alarm. After going through many posts in this community I understand that this can be done through regex on ESM string watchlist. But problem is ESM_string will only work in case of view\ report and not for alarms. Since the lowest frequency of update we can set is "every 15 minutes".


Is there any other way around to achieve this? Lets say I want to create an alarm if command field contains "erase". As far as I understand we cannot directly use regex as well. Any inputs will be appreciated.

4 Replies
xded
Level 12
Report Inappropriate Content
Message 2 of 5

Re: "contain" not available for command field while creating alarm

Make a new correlation rule with this searchstring and set the Signature ID from this correlation in the Alarm. But this doesn't work for command becaus you can't use contain for this field. Contains works only for fields with the attribute String

Re: "contain" not available for command field while creating alarm

Exactly that is the problem; Command is the field where I want to put a "contains" condition since my firewall commands executed are being mapped to this field.

Wondering if there is any easy way to change the parser and put the commands executed to a field which supports string attribute!?

Re: "contain" not available for command field while creating alarm

Probalby the best way would be to copy the ASP rule, and modify it to parse the field you want into a string field.

Re: "contain" not available for command field while creating alarm

It should be "random string" type. Sometimes creation of dynamic watchlist with ESM strings (supports regexp) could help. You can then compare values from logs with that watchlist(in alarm or correlation). There was few howtos on this forum about that issue.