Hello,
I get this error with my rule which is not surprising at all:
validating intermediate representation: event variables are not all joined by equalities, the joined groups are: (ioc), (network)
my rule:
rule IOC_In_Forti {
meta:
...
priority = "Critical"
events:
$network.principal.ip = $srcip
not net.ip_in_range_cidr($network.principal.ip, "10.0.0.0/24")
not net.ip_in_range_cidr($network.principal.ip, "172.16.0.0/12")
not net.ip_in_range_cidr($network.principal.ip, "192.168.0.0/16")
$network.security_result.action_details = "accept"
$network.metadata.log_type ="FORTINET_FIREWALL"
$network.target.hostname = $hostname
$srcip in %MaliciousIPs
or $srcip in %MaliciousIPs2
or $srcip in %MaliciousIPs3
$ioc.graph.metadata.product_name = "ALIENVAULT_OTX"
$ioc.graph.entity.ip = $srcip
match:
$hostname over 24h
condition:
$network and $ioc
}
I want to match the srcip against a reference_list or against graph.entity.ip and if put an "OR" between them it will result in the previous error because of the condition section. Is there any way I can work around this without having to create seperate rules for each one of them?
LinkedIn
Twitter
