Project

General

Profile

Feature #315

Using Named variables in PCRE ruleset

Added by over 11 years ago. Updated over 3 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Resolution:

Description

Named Variables in pcre:

This would make for quicker and simpler rules to be created in prelude-lml.

Example from ntsyslog.rules:

regex=security\[success\] 528 (.*) Successful Logon:  User Name:(?<username>[\w ]+)  Domain:(?<domain>.+)  Logon ID:\(?<lid>.*\)  Logon Type:(?<ltype>\d+)  Logon Process:(?<lprocess>\w+) .* Workstation Name:(?<wks>\S+);
    classification.text=Login; \
    classification.reference(0).origin=vendor-specific; \
    classification.reference(0).meaning=Windows Event ID; \
    classification.reference(0).name=528; \
    classification.reference(0).url=http://www.ultimatewindowssecurity.com/events/com189.html; \
    id=1401; \
    revision=3; \
    analyzer(0).name=NTsyslog; \
    analyzer(0).manufacturer=ntsyslog.sourceforge.net; \
    analyzer(0).class=Logging; \
    assessment.impact.severity=low; \
    assessment.impact.completion=succeeded; \
    assessment.impact.type=user; \
    assessment.impact.description=$username successfully logged on on $wks ($domain domain) via $ltype; \
    source(0).process.name=$5; \
    source(0).node.address(0).category=unknown; \
    source(0).node.address(0).address=$wks; \
    source(0).node.name=$wks; \
    source(0).user.category=os-device; \
    source(0).user.user_id(0).type=current-user; \
    source(0).user.user_id(0).name=$username; \
    target(0).user.user_id(0).type=current-user; \
    target(0).user.user_id(0).name=$username; \
    additional_data(0).type=integer; \
    additional_data(0).meaning=Logon type; \
    additional_data(0).data=$ltype; \
    additional_data(1).type=string; \
    additional_data(1).meaning=Authentication domain; \
    additional_data(1).data=$domain; \
    last

History

#1 Updated by over 11 years ago

Sorry forgot to use my email address.

#2 Updated by Yoann VANDOORSELAERE about 11 years ago

Implementing named variables would ease ruleset writing, but I am curious about the performance impact it would have. Could you write a small performance test, to compare the speed of captured string retrieval using index/variable?

#3 Updated by Yoann VANDOORSELAERE over 10 years ago

  • Project changed from PRELUDE SIEM to Prelude-LML
  • Category deleted (4)
  • Target version deleted (93)

#4 Updated by Yoann VANDOORSELAERE over 10 years ago

  • Target version set to 0.9.15

#5 Updated by Jean-Charles ROGEZ about 6 years ago

  • Target version changed from 0.9.15 to 121

#6 Updated by Thomas ANDREJAK about 4 years ago

  • Target version changed from 121 to Prelude OSS 3.0.0

#7 Updated by Thomas ANDREJAK over 3 years ago

  • Target version changed from Prelude OSS 3.0.0 to Prelude OSS 3.1.0

#8 Updated by Thomas ANDREJAK over 3 years ago

  • Target version deleted (Prelude OSS 3.1.0)

Also available in: Atom PDF