How to alert correctly with quotes from the endpoint log?

I’m trying to sort out the special characters from my canary and it’s giving me trouble with all the quotes on a single line, how do I watch for the needed text within quotes?

The ports we want to alert on:
“dst_port”: “22”
“dst_port”: “23”
“dst_port”: “5060”
“dst_port”: “5061”

Escaping all the quotes per the Event Definitions guide doesn’t trigger an alert
“dst_port”: “22”

As a test, putting another set of quotes around the original sends alerts for all ports scanned, not just the specific ones highlighted by the or operator…

"“dst_port”: “5060” OR “dst_port”: “5061"”

The full alert looks like this and it is a mouthful to parse:
{“dst_host”: “100.50.25.12”, “dst_port”: “22”, “local_time”: “2022-02-02 13:32:52.386025”, “local_time_adjusted”: “2022-02-02 08:32:52.386095”, “logdata”: {“ID”: “31097”, “IN”: “eth0”, “LEN”: “44”, “MAC”: “28:ee:11:18:ff:46:00:0a:22:7b:c2:90:08:30”, “OUT”: “”, “PREC”: “0x00”, “PROTO”: “TCP”, “RES”: “0x00”, “SYN”: “”, “TOS”: “0x00”, “TTL”: “48”, “URGP”: “0”, “WINDOW”: “1024”}, “logtype”: 5001, “node_id”: “opencanary-1”, “src_host”: “100.50.25.13”, “src_port”: “52470”, “utc_time”: “2022-02-02 13:32:52.386080”}

Hello @no-good-username

Perhaps this post will help.

So the guide is wrong?
It says to escape with a backslash \ , not forward /

Unable to perform search query: Elasticsearch exception [type=query_shard_exception, reason=Failed to parse query [“dst_port”\ : “5060”]].

I flipped them 'round and this passed the validator - “/“dst_port”/ : /“5060”/”
But I still get alerts for other ports, not specifically 22 or 5060…

escape using the \

/ lets Graylog know that what’s between them is a RegEx.

edit
LMAO… had to esc the escape character for it to post… apologies for the confusion.

Like this?
,“dst_port”,: ,“5060”, OR ,“dst_port”,: ,“22”,

If so, I get alerts for portscans for the top100 range tried, not specifically just :22 or :5060

@no-good-username apologies for the added confusion…

quick question… are you parsing/extracting anything from the messages into fields? Not sure why you would search for “dst_port”:“22” unless you haven’t extracted them. it can be a mouthful to parse, but it doesn’t have to be. you can use a pipeline or an extractor. I tend to use Extractors more. GROK extractors to be specific.

In your above example, I would have a simple extractor tied you your input that runs against all messages that looks like this

, “dst_port”: “%{BASE10NUM:dst_port}”

The first part of that including the leading , is just to help more uniquely identify the pattern that Graylog should look for to extract. With the trailing " telling it where the pattern stops.

running it against that sample message you have would simply result in 22 being stored in the dst_port field and then your query is as simple as

dst_port:22 OR dst_port:23 OR dst_port:5060 OR dst_port:5061

you can further reduce that in this instance using RegEx to

dst_port:/2[23]/ OR dst_port:/506[01]/

In the first query, I’m listing a string literal for Graylog to search.

<field_name>:<string_literal_value>

In the second query I’m doing basically the same thing, but those forward slashes are telling Graylog that it’s not a literal you need to search for, it’s a RegEx and between the forward slashes is the RegEx you will use.

Hope that makes sense.

FWIW, if you just want to search the message as your originally mentioned, you’ll need to surround you statements with an additional set of “”.

as in…
““dst_port”: “5060”” OR ““dst_port”: “5061””

what you had above didn’t have the additional quote before and after the OR
““dst_port”: “5060” OR “dst_port”: “5061””

so it was literally searching for everything between the outer "

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.