Graylog Rules and Pipeline not working


(Ayoola Ayooluwa) #1

Hi guys, i tried creating fields with the result of a rule.

What the rule does is to check a lookup table containing a list of known ransomware addresses and populates a field:

rule "check_for_ransomware_address"
**when **
has_field(“message”)
then
let hack_command_lookup1 = lookup_value(“Ransomware Addresses”,$message.DstAddr,“None”);
let hack_command_lookup3 = lookup_value(“Ransomware Addresses”,$message.src_ip,“None”);

let testout = lookup_value(“Ransomware Addresses”,$message.DstAddr);
let testin = lookup_value(“Ransomware Addresses”,$message.src_ip);

set_field(“RansomwareOutgoing”, hack_command_lookup1);
set_field(“RansomwareIncoming”, hack_command_lookup3);

set_field(“RMWareOut”, testout);
set_field(“RMWareIn”, testin);

end

The fields “RansomwareOutgoing” and “RansomwareIncoming” work perfectly as their content is either the known malicious IP address or “None”. But the fields “RMWareOut” and “RMWareIn” dont work.

  1. Is it because i didnt put a “None” in the declaration statement?

Because all i want is a field that contains only the known malicious address (if any) and not "None"

Please how do i go about it? Thanks


(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.