I have created a stream to process incoming bro_dns messages, specifically looking for ‘alien’ address queries.
The stream rules look for
application_name:bro_dns
and a regex (.*.)+local
Which should match all queries for something.local , as a simple test
When I run a search using this I see the expected results, but no messages arrive in the stream using exactly the same conditions.
If change the rule processing form ‘both’ to ‘either’, I see all bro_dns messages arrive in the stream.
Which message field are you running the regular expression against?
Does this field always exist in the messages or do you generate it in an extractor or a pipeline rule?
Please post some example messages.
Jochen,
The messages field is ‘query’,
Here is an example:
1522910568.487725|CSjxZi3XMo7dWHHsO|fe80::6da8:7364:c2ba:8a23|5353|ff02::fb|5353|udp|0|0.109107|ops-05639.local|1|C_INTERNET|28|AAAA|0|NOERROR|T|F|F|F|0|fe80::6da8:7364:c2ba:8a23|120.000000|F
The extracted query field is ops-05639.local
I am doing the field extractions before the pipeline processing, and the Stream test shows the following.
In short, the stream test says the message should be routed to the stream, but it is not.
2. Manage stream rules
This message would be routed to this stream.
A message must match all of the following rules
A message must match at least one of the following rules
Field application_name must match exactly bro_dns (Only select bro dns)
Field query must match regular expression (.*.)+local (Someting ending in .local)
Check the order of message processors on the System/Configurations page. The stream rules are applied in the Message Filter Chain.
If the Pipeline Processor runs after the Message Filter Chain, all message fields created in pipeline rules will only be available after the stream rules have been evaluated.
You might want to take another look at that regular expression. It works, but it is quite suboptimal.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
