Skip to main content

Splunk function equivalent Yara L

  • October 11, 2024
  • 2 replies
  • 102 views
Mufa_shah
Forum|alt.badge.img+4

Hi All,

Good morning ,

I am trying to convert Splunk rules which uses complex functions and thier equivalent YARA L or other way for approach.

Splunk Syntax 

| rex max_match=0 "(\\s+)foreach\\s*\\((?<foreach_clause>.*?)\\)\\s*\\{(?<foreach_loop>.*?\\\\\\r\\\\\\n\\1)\\}"
| rex field=foreach_loop max_match=0 "(\\s+)foreach\\s*\\((?<foreach_clause>.*?)\\)\\s*\\{(?<foreach_loop>.*?)\\\\\\r\\\\\\n\\1\\}"
| search foreach_loop=""*Add-content*""

I think max_match cannot be achieved in Chronicle as of now.  How to approach this?

 

 

2 replies

citreno
Forum|alt.badge.img+6
  • citrenoBronze 1
  • Bronze 1
  • October 11, 2024

Can you help me interpret your regex a bit better? I'm reading this as look for cases where the Add-content field (which is a repeated field) has none of some kind of pattern, but I can't seem to figure out the pattern. 

If that is the case then Chronicle UDM does support repeated fields and I would recommend that for best user experience to make sure the array you are iterating through is in some sort of a repeated field in UDM. (Maybe the parser already handles that or we do some sort of parser extension). Then through YARAL you can use all or any of the repeated fields modifiers. If you perhaps share a sample or a snippet of the log and which log type it is to see the array you are targeting I can perhaps help you with how that would look like with repeated fields, but I believe it would be something like:

not any [repeated_field_in_udm] = /pattern/ 

Note that this might require parser extension but any field worth for-looping through is probably best parsed into UDM. There might be other ways to do it through re. functions but I personally like this solution because I don't have to deal with regex that much and things can look much cleaner once they are parsed. 

Mufa_shah
Forum|alt.badge.img+4
  • Mufa_shahBronze 2
  • Author
  • Bronze 2
  • October 14, 2024

Can you help me interpret your regex a bit better? I'm reading this as look for cases where the Add-content field (which is a repeated field) has none of some kind of pattern, but I can't seem to figure out the pattern. 

If that is the case then Chronicle UDM does support repeated fields and I would recommend that for best user experience to make sure the array you are iterating through is in some sort of a repeated field in UDM. (Maybe the parser already handles that or we do some sort of parser extension). Then through YARAL you can use all or any of the repeated fields modifiers. If you perhaps share a sample or a snippet of the log and which log type it is to see the array you are targeting I can perhaps help you with how that would look like with repeated fields, but I believe it would be something like:

not any [repeated_field_in_udm] = /pattern/ 

Note that this might require parser extension but any field worth for-looping through is probably best parsed into UDM. There might be other ways to do it through re. functions but I personally like this solution because I don't have to deal with regex that much and things can look much cleaner once they are parsed. 


Hi @citreno ,

Sample string

if ( $abcs.count -gt 0 ) {\\r\\n foreach ( $abc in $abc ) {\\r\\n\\r\\n $TotalLineCount = $abc | Get-Content | Measure-Object -Line\\r\\n\\r\\n if ( $TotalLineCount.Lines -gt 2500 ) {\\r\\n\\r\\n $Name = $abc.FullName.Split(\\".\\")\\r\\n\\r\\n $Linecount=0; $i=1; Get-Content $abc.FullName | ForEach-Object {\\r\\n \\r\\n $newfilename = \\"$($Name[0])-$($i).$($Name[1])\\"\\r\\n \\r\\n Add-Content $newfilename \\"$_\\"; $linecount++;\\r\\n\\r\\n if ($linecount -eq 2500) {\\r\\n $i++; $linecount=0 \\r\\n } \\r\\n }\\r\\n \\r\\n # Delete original final file so that it won't be ingested (or fail to ingest)\\r\\n Remove-Item $abc.FullName \\r\\n }\\r\\n }\\r\\n}\\r\\n¶$abcs = Get-ChildItem $LogPath | Where-Object {$_ -like \\"*Overlay-*.csv\\"}\\r\\n


Splunk Regex :- (\\s+)foreach\\s*\\((?<foreach_clause>.*?)\\)\\s*\\{(?<foreach_loop>.*?\\\\\\r\\\\\\n\\1)\\}

I have build this Chronicle equivalent regex :- /(\\s+)foreach\\s*\\(.*?\\)\\s*\\{.*?\\\\r\\\\n\\}{1}/ in regex 101 i am getting match but not in chronicle.

 

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.