Pipeline Processor Rule to Detect Bad User Agent

GTownson · July 21, 2017, 9:08am

Hello,

I have tried to create a pipeline rule to check if the user agent is on a list of suspicious user agents.
In the pipeline rule below I have only added the ‘Microsoft+WinRM+Client’ user agent as a test.

I have verified that we are getting logs in with the test user agent, however
the BadUserAgent field isn’t being set to ‘Yes’.

Can anyone explain to me why this rule doesn’t work?

rule "Suspicious User Agent"
    when
    to_bool(regex("Microsoft+WinRM+Client", to_string($message.UserAgent)))

    then
set_field("BadUserAgent", "Yes");
end

Thankyou in advance

G

scampuza · July 21, 2017, 7:18pm

G

It seems the problem is with the Regular Expression. Can you please share with us a sample of the log file containing this user agent?

GTownson · July 21, 2017, 7:47pm

I can’t currently share one sorry.

However the user agent is exactly the same as it is in the regex:‘Microsoft+WinRM+Client’

Regards

G

jochen · July 25, 2017, 12:01pm

The + character is a reserved character in regular expressions. Additionally, the regex() function returns the matching parts of the input string, not a boolean value.

Please refer to https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html and http://www.vogella.com/tutorials/JavaRegularExpressions/article.html for more information.

GTownson · July 25, 2017, 1:14pm

I am slightly versed in regex and had tried to escape the ‘+’

to_bool(regex(“Microsoft+WinRM+Client”, to_string($message.UserAgent)))

However this threw up the error:

Is there anyway to match a field to regex and output a bool value to trigger the ‘then’ part of the pipeline rule?

Regards,
G

jochen · July 25, 2017, 1:43pm

Unfortunately \ itself is a reserved character inside strings, so you have to escape that too, i. e. "Foo\\+Bar".

GTownson · July 25, 2017, 1:57pm

I don’t need to escape the \ do I? as the string I’m trying to match the regex with is: Microsoft+WinRM+Client

So I only thought I’d have to escape the +

G

jochen · July 25, 2017, 2:02pm

Yes, the backslash has to be escaped too.

GTownson · July 25, 2017, 2:06pm

Ah ok, thanykou very much.

I shall test this out now

How would I then make the pipeline processor set the BadUserAgent field if the regex matched?

G

jochen · July 25, 2017, 2:15pm

With set_field().

system · August 8, 2017, 2:16pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Matching Field Contents with Regex (Pipeline Processing) Graylog Central (peer support)	7	6435	October 26, 2017
Pipeline Rule Filter Question Graylog Central (peer support) pipeline-rules , debuggingpl	2	458	December 5, 2019
Match a String Against Regex in Pipeline Processors Graylog Central (peer support)	2	7182	September 4, 2017
Pipeline rule to perform a search when message does not contain specific keywords Graylog Central (peer support)	5	1223	November 11, 2022
Pipeline Rule not firing Graylog Central (peer support) pipeline-rules	10	1423	October 2, 2018

Pipeline Processor Rule to Detect Bad User Agent

Related Topics