Contains not evaluating correctly

Magneton · July 8, 2020, 10:46am

Dear All,

I wonder if someone here can help, I have a palo alto firewall log tha contains IP information upon whichI am looking up for threats using otx. However in the pipeline rule, it is failing. The code is as follows

Expected behaviour:

Any IP address containing 168.254 should be ignored

Actual Behaviour

Look ups are happening for 169.254 addresses.

Cheers

Magenton

shoothub · July 8, 2020, 1:34pm

Your pipeline rule worked for me as expected in graylog 3.3.2
Try to change line with function contains to:
cidr_match("169.254.0.0/16", to_ip($message.dest_addr))

If it helps…

makarands · July 8, 2020, 1:46pm

@Magneton Which Graylog version are you using? I think your pipeline rule having operator precedence or expression construction issue. The NOT is trying to evaluate something that has boolean value, but when executed it getting the result of the “169.254”. Can you also check server.log where you will get some errors related to it?

Here is condition documentation link: https://docs.graylog.org/en/latest/pages/pipelines/rules.html#conditions for your reference.

Magneton · July 8, 2020, 4:09pm

Using Graylog - 3.1.2

Magneton · July 8, 2020, 4:12pm

@makarands

The when condition is evaluating correctly, there are no errors in the log regarding AST trees which is the error you get when a rule when condition breaks.

The rule is running over firewall logs with 10k events per min.

Cheers

Jake

makarands · July 9, 2020, 2:23pm

@Magneton You should upgrade your Graylog with the latest release and change your function according to @shoothub suggested in his post.

system · July 23, 2020, 2:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.