prewikka filters question != not working correctly?

I've recently installed prelude, and it's working very
nicely. Very slick tool 
once you get it up and running.

However, I recently tried to set up some filters in
prewikka. Most of these work 
as I expect, but one did not.

First, I created a simple filter to pull off all events
generated by my ASA. 
This did a check on "alert.analyzer.name = ASA".
It works beautifully. When I 
apply it, I get all my ASA events, and nothing else.

Then I wanted to create a simple filter to pull off
everything EXCEPT those 
generated by my ASA. Here, I failed.

I tried:
alert.analyzer.name != ASA
alert.analyzer.name <> ASA
alert.analyzer.name !~ ASA
alert.analyzer.name !=* ASA
alert.analyzer.name !<> ASA

But none of them seemed to have any effect on the number of
matches when I apply 
the filter. The summary page does get a bit less detailed,
but the number of 
events remains the same, and events from arpwatch, sshd, etc
all remain.

So how does one make a prewikka filter of this sort?

Also, what's the difference between != and !=* (ie: what's
the * modifier that's 
available so many places do?)?


For reference I'm currently running these versions:
prewikka-0.9.12.1 (latest)
libprelude-0.9.14 (2 releases behind)
libpreludedb-0.9.12 (1 release behind)
prelude-manager-0.9.9 (1 release behind)
prelude-lml-0.9.10 (1 release behind)


_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user

Hey Matt

> Also, what's the difference between != and !=* (ie:
what's the *
>modifier that's available so many places do?)?

The asterix means case-insensitivity, see
https
://trac.prelude-ids.org/wiki/IDMEFCriteria

 -regards, bjeorn
_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user

Bjoern Weiland wrote:
> Hey Matt
> 
>> Also, what's the difference between != and !=* (ie:
what's the *
>> modifier that's available so many places do?)?
> 
> The asterix means case-insensitivity, see
> https
://trac.prelude-ids.org/wiki/IDMEFCriteria


Thank you Bjoern. Most helpful.


That said, does anyone have any idea why != doesn't work?

For what it's worth, !<>* doesn't work either, even
though my filter does work 
in the positive-sense with =.

I also can give some specific examples of what information
gets removed from the 
report when using a != filter. (note: details are removed,
but events are not.

For example classification:

Packet denied
(vendor-specific:106023)

Stays the same when I apply an alert.analyzer.name = ASA,
and all the non-ASA 
events disappear.

When I apply an alert.analyzer.name != ASA, the
vendor-specific part disappears.

Also, any details under target like "Process name"
and "UserId name" disappear, 
and the port numbers disappear too. But strangely, I go back
to having all the 
events, ASA or not.

So a target:

server.evitechnology.com:22/tcp
10.xx.xx.xx:22/tcp
UserId name: root
Process name: sshd (11932)

Just simply becomes:
10.33.18.39

And it shouldn't even be in the list because the sensor is
"sshd 
(server.evitechnology.com)".. there's no ASA in it.


_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user

Matt Kettler wrote:

> 
> That said, does anyone have any idea why != doesn't
work?
> 

Even more notes.

!= (and other ! prefixed operators) work correctly when
applied to 
alert.classification.reference.meaning.

However they don't work properly when applied to
alert.analyzer.name, even 
though = does work properly.

That's downright weird.

_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user

Le jeudi 30 août 2007 à 18:42 -0400, Matt Kettler a écrit
: 
> Matt Kettler wrote:
> 
> > 
> > That said, does anyone have any idea why !=
doesn't work?
> > 
> 
> Even more notes.
> 
> != (and other ! prefixed operators) work correctly when
applied to 
> alert.classification.reference.meaning.
> 
> However they don't work properly when applied to
alert.analyzer.name, even 
> though = does work properly.
> 
> That's downright weird.

Hi Matt,

What is happening is that negative operator does not work as
you expect
on listed IDMEF path with more than one index.

To be more precise, 'alert.analyzer.name != ASA' won't match
because
some of the indexed analyzer name element does not contain
'ASA':

alert.analyzer(0).name = 'prelude-manager'
alert.analyzer(1).name = 'prelude-lml'
alert.analyzer(2).name = 'ASA'

This is a libpreludedb specific limitation (you won't notice
the same
behavior when using IDMEF-Criteria in non database context -
Prelude-Manager for example - since (recent) libprelude can
handle those
query with more flexibility).

If you'd like to document this specific behavior on the
wiki, that would
be nice!

Hope this help,

-- 
Yoann Vandoorselaere | Responsable R&D / CTO |
PreludeIDS Technologies
Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78
42 21 58
http://www.prelude-ids.com


_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user

> This is a libpreludedb specific limitation (you won't
notice the same
> behavior when using IDMEF-Criteria in non database
context -
> Prelude-Manager for example - since (recent) libprelude
can handle those
> query with more flexibility).

but if i set up the following IDMEF filter in the manager's
conf:

[idmef-criteria]
rule = alert.classification.text != 'Malware submitted'
rule = alert.assessment.impact.severity == 'high'
hook = TextMod[default]


the first alert i got was:

************************************************************
********************
* Alert: ident=52730502127302
* Classification ident: 20
* Classification text: Malware submitted
* Reference origin: vendor-specific
* Reference name:
--- snip ---

although i DONT want any "Malware submitted"
alert, as stated in the
idmef-criteria...
The severity rule seems to work, i only get high severity
alerts, but i
do get "Malware submitted"

 -regards, bjoern
_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user

Hi Bjoern,

Le samedi 01 septembre 2007 à 11:02 +0200, Bjoern Weiland a
écrit :
> > This is a libpreludedb specific limitation (you
won't notice the same
> > behavior when using IDMEF-Criteria in non database
context -
> > Prelude-Manager for example - since (recent)
libprelude can handle those
> > query with more flexibility).
> 
> but if i set up the following IDMEF filter in the
manager's conf:
> 
> [idmef-criteria]
> rule = alert.classification.text != 'Malware submitted'
> rule = alert.assessment.impact.severity == 'high'
> hook = TextMod[default]

[...]

> although i DONT want any "Malware submitted"
alert, as stated in the
> idmef-criteria...
> The severity rule seems to work, i only get high
severity alerts, but i
> do get "Malware submitted"

Multiple criteria rule within a single [idmef-criteria]
section are not
allowed. You should use: 

rule = alert.classification.text != 'Malware submitted'
&& alert.assessment.impact.severity == 'high'

Regards,

-- 
Yoann Vandoorselaere | Responsable R&D / CTO |
PreludeIDS Technologies
Tel: +33 (0)8 70 70 21 58                  Fax: +33(0)4 78
42 21 58
http://www.prelude-ids.com


_______________________________________________
Prelude-user site list
Prelude-userprelude-ids.org
http://www.prelude-ids.org/mailman/listinfo/prelude-user