Skip to content
  • There are no suggestions because the search field is empty.

How to use regex with an RSA Security Analytics ESA Rule

Issue

How to use regex with an RSA Security Analytics ESA Rule.


Resolution

Below is an example of an ESA rule using regex, which can be pasted in Expert Mode.

/*
 This basic template is a placeholder for defining basic EPL content that can be
 installed and executed in ESA. The sample below is the minimum that would be required
 to get started.
*/

/*
Module debug section. If this is empty then debugging is off.
*/

/* EPL section. If there is no text here it means there were no statements. */

    module RegexTest;

       
        @Name('RegexTest')
        @Description('')
        @RSAAlert(oneInSeconds=60)
       @Audit('stream')

        SELECT * FROM Event(domain_dst REGEXP '.*bbc.*') ;

This rule will fire if the domain_dst field contains bbc.


Notes

The comment @Audit('stream') can be removed but it is useful for debugging. It will print out the event in the log /opt/rsa/esa/logs/esa.log which may be useful for troubleshooting.

2014-07-14 16:12:58,841 [pipeline-sessions-0] INFO  com.espertech.esper.audit - Statement RegexTest stream Event(.boolean_expressionboolean_expr...) inserted Event[{esa_time=1405354378834, client=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36, query=~RS~s~RS~News~RS~t~RS~eav2_Load~RS~i~RS~0~RS~p~RS~0~RS~a~RS~International~RS~u~RS~http%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-europe-28288823~RS~r~RS~0~RS~q~RS~0~RS~z~RS~20~RS~, alias_host=[stats.bbc.co.uk, stats.bbc.co.uk, stats.bbc.co.uk], payload=1460, packets=12, org_dst=BBC, Network_Name=DWAUGH_INTERCEPT, domain_dst=bbc.co.uk, ip_dst=212.58.244.39, time=1405354337, tcp_dstport=80, eth_src=00:50:56:03:01:fc, action=[get, get, get], filetype=gif, longdec_dst=-0.2333, eth_dst=00:50:56:03:03:fb, eth_src_vendor=VMware, Inc., query_element=~RS~s~RS~News~RS~t~RS~eav2_Load~RS~i~RS~0~RS~p~RS~0~RS~a~RS~International~RS~u~RS~http%3A%2F%2Fwww.bbc.com%2Fnews%2Fworld-europe-28288823~RS~r~RS~0~RS~q~RS~0~RS~z~RS~20~RS~, tcp_srcport=52418, latdec_dst=51.2833, lifetime=60, asn_dst=2818, did=rsadecoder, ip_proto=6, sessionid=140831147, medium=1, size=2156, content=image/gif, orig_ip=192.168.123.13, extension=gif, eth_dst_vendor=VMware, Inc., rid=11745952, alias_ip=[212.58.244.39], directory=/, tcp_flags=27, service=80, filename=o.gif, server=Apache, streams=2, language=en-US,en;q=0.8,es;q=0.6, referer=http://www.bbc.com/news/world-europe-28288823, event_source_id=192.168.123.240:50005:140831147, city_dst=Tadworth, country_dst=United Kingdom, eth_type=2048, tld=uk, ip_src=192.168.200.27}]


Internal Comments

UserName:shurtj
8/12/2014 2:08:19 PM - Updated Article
Updated article and made changes to abide by Primus best practices.

Product Details

RSA Security Analytics
RSA Security Analytics Event Stream Analysis

Approval Reviewer Queue

Others