Hi guys, i tried creating fields with the result of a rule.
What the rule does is to check a lookup table containing a list of known ransomware addresses and populates a field:
rule "check_for_ransomware_address"
**when **
has_field(“message”)
then
let hack_command_lookup1 = lookup_value(“Ransomware Addresses”,$message.DstAddr,“None”);
let hack_command_lookup3 = lookup_value(“Ransomware Addresses”,$message.src_ip,“None”);
let testout = lookup_value(“Ransomware Addresses”,$message.DstAddr);
let testin = lookup_value(“Ransomware Addresses”,$message.src_ip);
set_field(“RansomwareOutgoing”, hack_command_lookup1);
set_field(“RansomwareIncoming”, hack_command_lookup3);
set_field(“RMWareOut”, testout);
set_field(“RMWareIn”, testin);
end
The fields “RansomwareOutgoing” and “RansomwareIncoming” work perfectly as their content is either the known malicious IP address or “None”. But the fields “RMWareOut” and “RMWareIn” dont work.
- Is it because i didnt put a “None” in the declaration statement?
Because all i want is a field that contains only the known malicious address (if any) and not "None"
Please how do i go about it? Thanks