This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Webinar May 29th: Log Ingestion: Bindplane + Google SecOps
Log in to ask a question

Splunk function equivalent Yara L

Posted on 10-10-2024 11:30 PM
Mufa_shah
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi All,

Good morning ,

I am trying to convert Splunk rules which uses complex functions and thier equivalent YARA L or other way for approach.

Splunk Syntax 

| rex max_match=0 "(\s+)foreach\s*\((?<foreach_clause>.*?)\)\s*\{(?<foreach_loop>.*?\\\r\\\n\1)\}"
| rex field=foreach_loop max_match=0 "(\s+)foreach\s*\((?<foreach_clause>.*?)\)\s*\{(?<foreach_loop>.*?)\\\r\\\n\1\}"
| search foreach_loop=""*Add-content*""

I think max_match cannot be achieved in Chronicle as of now.  How to approach this?

 

 

0 2 483
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
citreno
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Can you help me interpret your regex a bit better? I'm reading this as look for cases where the Add-content field (which is a repeated field) has none of some kind of pattern, but I can't seem to figure out the pattern. 

If that is the case then Chronicle UDM does support repeated fields and I would recommend that for best user experience to make sure the array you are iterating through is in some sort of a repeated field in UDM. (Maybe the parser already handles that or we do some sort of parser extension). Then through YARAL you can use all or any of the repeated fields modifiers. If you perhaps share a sample or a snippet of the log and which log type it is to see the array you are targeting I can perhaps help you with how that would look like with repeated fields, but I believe it would be something like:

not any [repeated_field_in_udm] = /pattern/ 

Note that this might require parser extension but any field worth for-looping through is probably best parsed into UDM. There might be other ways to do it through re. functions but I personally like this solution because I don't have to deal with regex that much and things can look much cleaner once they are parsed. 

0 Likes

Posted on --/--/---- --:-- AM
Mufa_shah
Bronze 4
Bronze 4
In response to citreno
Reply posted on --/--/---- --:-- AM

Hi @citreno ,

Sample string

if ( $abcs.count -gt 0 ) {\r\n foreach ( $abc in $abc ) {\r\n\r\n $TotalLineCount = $abc | Get-Content | Measure-Object -Line\r\n\r\n if ( $TotalLineCount.Lines -gt 2500 ) {\r\n\r\n $Name = $abc.FullName.Split(\".\")\r\n\r\n $Linecount=0; $i=1; Get-Content $abc.FullName | ForEach-Object {\r\n \r\n $newfilename = \"$($Name[0])-$($i).$($Name[1])\"\r\n \r\n Add-Content $newfilename \"$_\"; $linecount++;\r\n\r\n if ($linecount -eq 2500) {\r\n $i++; $linecount=0 \r\n } \r\n }\r\n \r\n # Delete original final file so that it won't be ingested (or fail to ingest)\r\n Remove-Item $abc.FullName \r\n }\r\n }\r\n}\r\nยถ$abcs = Get-ChildItem $LogPath | Where-Object {$_ -like \"*Overlay-*.csv\"}\r\n


Splunk Regex :- (\s+)foreach\s*\((?<foreach_clause>.*?)\)\s*\{(?<foreach_loop>.*?\\\r\\\n\1)\}

I have build this Chronicle equivalent regex :- /(\s+)foreach\s*\(.*?\)\s*\{.*?\\r\\n\}{1}/ in regex 101 i am getting match but not in chronicle.

Mufa_shah_0-1728892037416.pngMufa_shah_1-1728892347645.png

 

 

0 Likes
Top Solution Authors
View all