Pipeline Processor Rule to Detect Bad User Agent

(GT) #1


I have tried to create a pipeline rule to check if the user agent is on a list of suspicious user agents.
In the pipeline rule below I have only added the ‘Microsoft+WinRM+Client’ user agent as a test.

I have verified that we are getting logs in with the test user agent, however
the BadUserAgent field isn’t being set to ‘Yes’.

Can anyone explain to me why this rule doesn’t work?

rule "Suspicious User Agent"
    to_bool(regex("Microsoft+WinRM+Client", to_string($message.UserAgent)))

set_field("BadUserAgent", "Yes");

Thankyou in advance


(Scampuza) #2


It seems the problem is with the Regular Expression. Can you please share with us a sample of the log file containing this user agent?

(GT) #3

I can’t currently share one sorry.

However the user agent is exactly the same as it is in the regex:‘Microsoft+WinRM+Client’



(Jochen) #4

The + character is a reserved character in regular expressions. Additionally, the regex() function returns the matching parts of the input string, not a boolean value.

Please refer to https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html and http://www.vogella.com/tutorials/JavaRegularExpressions/article.html for more information.

(GT) #5

I am slightly versed in regex and had tried to escape the ‘+’

to_bool(regex(“Microsoft+WinRM+Client”, to_string($message.UserAgent)))

However this threw up the error:

Is there anyway to match a field to regex and output a bool value to trigger the ‘then’ part of the pipeline rule?


(Jochen) #6

Unfortunately \ itself is a reserved character inside strings, so you have to escape that too, i. e. "Foo\\+Bar".

(GT) #7

I don’t need to escape the \ do I? as the string I’m trying to match the regex with is: Microsoft+WinRM+Client

So I only thought I’d have to escape the +


(Jochen) #8

Yes, the backslash has to be escaped too.

(GT) #9

Ah ok, thanykou very much.

I shall test this out now :slight_smile:

How would I then make the pipeline processor set the BadUserAgent field if the regex matched?


(Jochen) #10

With set_field().

(system) closed #11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.