Video Screencast Help
Scheduled Maintenance: Symantec Connect is scheduled to be down Saturday, April 19 from 10am to 2pm Pacific Standard Time (GMT: 5pm to 9pm) for server migration and upgrades.
Please accept our apologies in advance for any inconvenience this might cause.

Regular Expressions (RegEx) within Correlation rules

Created: 30 Jan 2013 | 6 comments
Phife35's picture

Trying to determine the proper regex format/strcuture that SSIM uses.  I have used regex in the past with much success in other applications and event filters.

However, the SSIM rules seems to have a different allowable regex format.  Example below.

Came across a malware streams with a specific format.

http://melikeiletisim[.]net/YFHHTRVWJR.php?info=755_296194096

where the .php?info= and the _ are all in the same place with random letters and number within the URL.

A quick and dirty Regex to match this is the following.

\/\w\w\w\w\w\w\w\w\w\w.php\?info=\d\d\d_\d\d\d\d\d\d\d\d\d

The SSIM rules match is not catching any of the URLs with the pattern.  I tried incrementally adding the pieces and get to the special characters ? = and _ with varying degrees of success using \ and \\ prior to the ? but not the other characters.

Comments 6 CommentsJump to latest comment

antilles's picture

Did you used 'matches' operator?

If yes, and it didn't worked then try this:

^http:\/\/\w+\.\w+\/\w+\.php\?info=\d+_\d+$

Phife35's picture

I did use 'matches'.  I will try the suggested regex.

SK Ooi's picture

Regular Expression is default in greedy mode. So you can't typical translate the sentence into regex in a one for one method.  Try this

 

[hH][tT]{2}[pP]([sS]?)\:([^\.]+\.)+php\?info=(\d+)_(\d+)

 

I know it looks complex but that RegEx, before and after encryption, they look the same

 

SK

Laszlo2's picture

Hi,

When you try SK Ooi's solution use the ^regex$ format as antilles said. If that does not work try this one:

^(http).*(php?info)\d{3}(_)\d*$

Laszlo

mathell's picture

The regex has to match the entire value being compared to trigger.  That's why your regex didn't work. Becaue your matching the whole value, I'm not what a ^ at the begining or $ at the end does for you, although it shouldn't hurt any.

http://melikeiletisim[.]net/YFHHTRVWJR.php?info=755_296194096

Just to get it started, you might just try:

.*\.php\?info\=\d{3,3}_\d{9,9}

Assuming that works for you as a test, then you can replace the dot asterick at the beginning with something more efficient.

SK Ooi's picture

Thanks for pointing that out, Laszlo2 and mathell.

 

Just in case the attack string starts to mutate and start using "/" or "\". Let's make a cryptic RegEx look even better :)

 

^[hH][tT]{2}[pP]([sS]?)\:([^\.\\/]+\.)+php\?info=(\d+)_(\d+)\s*$

 

I did try out the above on a RegEx engine.

 

Hope this helps

SK