Help combing these rules

giveen · January 4, 2023, 6:25pm

Basically, I want it to check if its a randomized MAC first and if it isn’t THEN do a lookup

rule "LookupMACVendor"
when
  has_field("source_mac") 
then
  let macvendor = lookup_value("mac-lookup", $message.source_mac);
  let source_mac_vendor = macvendor;
  set_field("source_mac_vendor", macvendor);
end

rule "ParseMACForRandomization"
when
  has_field("source_mac") AND (contains("2", substring(to_string($message.source_mac),1,2),true) OR contains("6", substring(to_string($message.source_mac),1,2),true) OR contains("a", substring(to_string($message.source_mac),1,2), true) OR contains("e", substring(to_string($message.source_mac),1,2), true))
then
  set_field("source_mac_randomized", "True");
end

giveen · January 4, 2023, 7:05pm

So I set ParseMACForRandomization in the one stage and below it in the other stage below I changed the rule to say

rule "LookupMACVendor"
when
  has_field("source_mac") AND !has_field("source_mac_randomized")
then
  let macvendor = lookup_value("mac-lookup", $message.source_mac);
  let source_mac_vendor = macvendor;
  set_field("source_mac_vendor", macvendor);
end

Still not working

tmacgbay · January 4, 2023, 8:32pm

Sequentially, you have "ParseMACForRandomization" in a lower number stage from "LookupMACVendor" so that "ParseMACForRandomization" will run first, then when it gets to the next stage it will run "LookupMACVendor" - correct? Then make sure your stage rules are set up to pass properly to the next stage with something like "At least one of the rules on this stage matches the message…

Side note - I love that an option is “None or more rules on this stage match”… “always go to next stage” may have been better…

tmacgbay · January 4, 2023, 8:53pm

Alternatively smosh em together:

rule "LookupMACVendor"
when
  has_field("source_mac") AND NOT
     (contains("2", substring(to_string($message.source_mac),1,2),true)  OR 
      contains("6", substring(to_string($message.source_mac),1,2),true)  OR 
	  contains("a", substring(to_string($message.source_mac),1,2), true) OR 
	  contains("e", substring(to_string($message.source_mac),1,2), true)
  )
  
then
  set_field("source_mac_randomized", "FALSE");
  let macvendor = lookup_value("mac-lookup", $message.source_mac);
  let source_mac_vendor = macvendor;
  set_field("source_mac_vendor", macvendor);
end

You may be able to shorten processing with (Untested ):

when  
  has_field("source_mac") AND
  regex("^[^26ae]{2}",to_string($message.source_mac)) == ""
then

EDIT: … or even:

when  
  regex("^[^26ae]{2}",to_string($message.source_mac)) == ""
then

giveen · January 4, 2023, 9:19pm

Let me give that a try, I really appreciate the help.

system · January 18, 2023, 9:20pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse if MAC address is random Pipeline Rules	0	366	January 4, 2023
Index error in pipeline rule Graylog Central (peer support)	6	364	January 24, 2023
Graylog Rules and Pipeline not working Graylog Central (peer support) pipeline-rules	1	522	April 26, 2018
Pipeline Rules - Exact Match on Field Graylog Central (peer support) pipeline-rules	5	5010	June 6, 2018
Change source name PIPELINES Graylog Central (peer support)	6	1973	November 29, 2019

Help combing these rules

Related Topics