Hello Community,
we are stuck on a simple case but confusing part in a regex/strings within chronicle, documentation doesnt specifically mention this part.
We are trying to match a, field_A value with field_B's part of the value.
Ex:
$oringalfile.field_A = "test.py"
$secondaryfilefullpath= "etc/somedirectory/test.py"
What is the best way to match this ? Split end part of the string, store and then compare? How to achieve this? Would be great if i can get a lead here.
Thank you!
Solved
Yara-L split regex match
+3- Bronze 3
Best answer by jstoner
There isn't a single way to do this (for better or worse) so here is how I do it. You can put the comparison of the two strings on the same line, however having them broken out on separate lines as you are building it allow you to throw that placeholder variable ($common_file) into the outcome section to view the output And tune the regex if needed.
What I like to do, is get the first part of the rule triggering, then the second part and then put the join together last when i know those two values are being regex'd correctly, but that's just me.
While nocase should work, using what i outlined above, i prefer to use strings.to_lower (or upper) on the captured value so I know I have the case I want when I compare them. You can use case insensitivity using re2 or nocase, but I like strings.to_lower better in this example.
Hope this helps.
rule rule_comparison_using_re_capture_between_files {
meta:
author = "Google Cloud Security"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.metadata.log_type = "WINDOWS_SYSMON"
$process.principal.hostname = $hostname
strings.to_lower(re.capture($process.principal.process.file.full_path, `(?:.*[\\\\/])?([^\\\\/]+\\.exe)`)) = $common_file
$other_process.metadata.event_type = "PROCESS_LAUNCH"
$other_process.metadata.log_type != "WINDOWS_SYSMON"
$other_process.principal.hostname = $hostname
strings.to_lower(re.capture($other_process.target.process.file.full_path, `(?:.*[\\\\/])?([^\\\\/]+\\.exe)`)) = $common_file
match:
$hostname, $common_file over 5m
condition:
$process and $other_process
}
+22
I have a couple questions that hopefully will be able to provide a better answer
-Is this a search or rule?
-I am assuming these two values exist in the same event or are they from two different events?
I can mock it up depending on anything else you can share with me...
+22Here is an example search that works and will limit search results to the matches. I did use the case sensitivity toggle and set it to off. Otherwise i would also need to leverage additional functions to convert case. The re2 syntax will vary for the example you have but the layout for the search should be the same.
metadata.event_type = "PROCESS_LAUNCH"
metadata.log_type = "WINDOWS_SYSMON"
re.capture(target.process.file.full_path, `(?:.*[\\\\/])?([^\\\\/]+\\.exe)`) = src.process.file.full_path
+3- Bronze 3
I have a couple questions that hopefully will be able to provide a better answer
-Is this a search or rule?
-I am assuming these two values exist in the same event or are they from two different events?
I can mock it up depending on anything else you can share with me...
This is in detection Rule and they exist in different log sources ( different events) and am looking to compare them.
And and I don't know what file name we would normally get in field_A value but i want to match with end part of filefullpath value
Ex:
$oringalfile.field_A = "test.py"
$secondary.filefullpath= "etc/somedirectory/test.py"
$oringalfile.field_A = "doc.zip"
$secondary.filefullpath= "etc/somedirectory2/doc.zip"
Edit: Also can you confirm the syntax to use case sensitivity like NOCASE for these matches?
is this the right way ?
re.capture($filewrite.target.file.full_path, `(.\\..*$)`) = $originaldownload.target.resource.name nocase
+22There isn't a single way to do this (for better or worse) so here is how I do it. You can put the comparison of the two strings on the same line, however having them broken out on separate lines as you are building it allow you to throw that placeholder variable ($common_file) into the outcome section to view the output And tune the regex if needed.
What I like to do, is get the first part of the rule triggering, then the second part and then put the join together last when i know those two values are being regex'd correctly, but that's just me.
While nocase should work, using what i outlined above, i prefer to use strings.to_lower (or upper) on the captured value so I know I have the case I want when I compare them. You can use case insensitivity using re2 or nocase, but I like strings.to_lower better in this example.
Hope this helps.
rule rule_comparison_using_re_capture_between_files {
meta:
author = "Google Cloud Security"
events:
$process.metadata.event_type = "PROCESS_LAUNCH"
$process.metadata.log_type = "WINDOWS_SYSMON"
$process.principal.hostname = $hostname
strings.to_lower(re.capture($process.principal.process.file.full_path, `(?:.*[\\\\/])?([^\\\\/]+\\.exe)`)) = $common_file
$other_process.metadata.event_type = "PROCESS_LAUNCH"
$other_process.metadata.log_type != "WINDOWS_SYSMON"
$other_process.principal.hostname = $hostname
strings.to_lower(re.capture($other_process.target.process.file.full_path, `(?:.*[\\\\/])?([^\\\\/]+\\.exe)`)) = $common_file
match:
$hostname, $common_file over 5m
condition:
$process and $other_process
}
+3- Bronze 3
Thank you! i was able to get results using approach similar to the one you added here
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.