https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/194014#M97596 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a></P> <P>your solution worked for <EM>Heartbleed.&nbsp;</EM> For threats that have no such distinctive name, would you think it's possible to use directly the threat ID?</P> <P>&nbsp;</P> <P>For instance:</P> <P>&nbsp;</P> <PRE>- contains(threat_name, '(36397)') == true</PRE> <P>&nbsp;</P> Fri, 05 Jan 2018 15:44:35 GMT LucaMarchiori 2018-01-05T15:44:35Z https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/185380#M97589 <P>Hi,</P> <P>&nbsp;</P> <P>I have a rule for Panos syslog miner to block FTP brute force login attempt that is not working.&nbsp; I suspect this is because the threat_name has a colon in it, and is not being parsed properly.&nbsp; This is what my rule looks like:</P> <P>&nbsp;</P> <PRE>conditions: - type == "THREAT" - log_subtype == "vulnerability" - severity == "high" - src_zone == "WAN" - dest_zone == "DMZ" - 'threat_name == "FTP'':'' login Brute Force attempt(40001)"' fields: - log_subtype - threat_name indicators: - src_ip</PRE> <P>&nbsp;</P> <P>I first needed to add extra quatation marks around the colon to pass the yaml validation, and after that more quotation marks are automatically added upon saving the rule.&nbsp; I've tried removing the threat_name line altogether, and replacing it with&nbsp;</P> <P>&nbsp;</P> <PRE>signature_id == 40001</PRE> <P>but that does not seem to be working either.&nbsp;</P> <P>&nbsp;</P> <P>tldr:&nbsp; Anyone know what is the proper way to escape characters like ":" or "-" in MineMeld?</P> Fri, 03 Nov 2017 15:48:31 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/185380#M97589 LucaMarchiori 2017-11-03T15:48:31Z https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/186162#M97590 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/28602">@LucaMarchiori</a>,</P> <P>that's one of the&nbsp;confusing things with YAML, there too many ways to represent and quote strings.</P> <P>Could you try this:</P> <PRE>conditions: - type == "THREAT" - log_subtype == "vulnerability" - severity == "high" - src_zone == "WAN" - dest_zone == "DMZ" - 'threat_name == "FTP: login Brute Force attempt(40001)"' fields: - log_subtype - threat_name indicators: - src_ip</PRE> <P>or this (YAML is a superset of JSON, so you can also use JSON):</P> <PRE>{ "conditions": [ "type == \"THREAT\"", "log_subtype == \"vulnerability\"", "severity == \"high\"", "src_zone == \"WAN\"", "dest_zone == \"DMZ\"", "threat_name == \"FTP: login Brute Force attempt(40001)\"" ], "fields": [ "log_subtype", "threat_name" ], "indicators": [ "src_ip" ] }</PRE> Thu, 09 Nov 2017 09:06:32 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/186162#M97590 lmori 2017-11-09T09:06:32Z https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/186312#M97591 <P>&nbsp;</P> <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a></P> <P>&nbsp;</P> <P>Thank you for your response.&nbsp; I'll test the&nbsp; syntax you have suggested as soon as I can.&nbsp; Do you happen to know if there is a lenght limit in place as well?</P> <P>&nbsp;</P> <P>For instance, a somewhat longer threat name like:</P> <P>&nbsp;</P> <PRE>threat_name == "LinkSys E-series Routers Remote Code Execution Vulnerability(36358)"</PRE> <P>after validation invariably becomes:</P> <P>&nbsp;</P> <PRE> - &gt;- threat_name == "LinkSys E-series Routers Remote Code Execution Vulnerability(36358)"</PRE> <P>which does not seem to work.&nbsp; Several spaces get automatically added between <EM>Execution</EM> and <EM>Vulnerability</EM>.&nbsp; If I shorten the threat name a few characters, it passes validation just fine.&nbsp; Initially I thought the "-" character was causing the problem, but may be the treat name is too long?</P> <P>&nbsp;</P> <P>EDIT:&nbsp; your suggested syntax is working for FTP: login Brute Force attempt(40001).&nbsp;&nbsp;</P> Thu, 09 Nov 2017 19:54:31 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/186312#M97591 LucaMarchiori 2017-11-09T19:54:31Z https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/186824#M97592 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/28602">@LucaMarchiori</a>,</P> <P>I will check and be right back.</P> <P>&nbsp;</P> <P>Luigi</P> Tue, 14 Nov 2017 05:29:55 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/186824#M97592 lmori 2017-11-14T05:29:55Z https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/189920#M97593 <P>&nbsp;</P> <P>&nbsp;</P> <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a></P> <P>&nbsp;</P> <P>I was wondering if you had a chance to check on threat_name lenght issue.&nbsp; Any threats with longer names, for instance:</P> <P>&nbsp;</P> <P>threat_name == "OpenSSL TLS Malformed Heartbeat Request Found - Heartbleed(36397)"</P> <P>&nbsp;</P> <P>after&nbsp;yaml verification becomes:</P> <P>&nbsp;</P> <P>- &gt;-<BR /> threat_name == "OpenSSL TLS Malformed Heartbeat Request Found -<BR /> Heartbleed(36397)"</P> <P>&nbsp;</P> <P>which does not seem to be working.</P> Mon, 04 Dec 2017 19:48:29 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/189920#M97593 LucaMarchiori 2017-12-04T19:48:29Z https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/193051#M97594 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/28602">@LucaMarchiori</a>,</P> <P>sorry for the late repy, you could try this instead as condition:</P> <PRE>conditions: - type == 'THREAT' - contains(threat_name, '<SPAN>Heartbleed</SPAN>') == true </PRE> Tue, 26 Dec 2017 07:45:49 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/193051#M97594 lmori 2017-12-26T07:45:49Z https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/193515#M97595 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a></P> <P>&nbsp;</P> <P>Just as a side note, validation turned this:</P> <P>&nbsp;</P> <PRE>- contains(threat_name, '<SPAN>Heartbleed</SPAN>') == true</PRE> <P>&nbsp;</P> <P>into this:</P> <P>&nbsp;</P> <P>&nbsp;- 'contains(threat_name, ''Heartbleed'') == true'</P> <P>&nbsp;</P> <P>I'm giving it a try.</P> Tue, 02 Jan 2018 16:33:54 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/193515#M97595 LucaMarchiori 2018-01-02T16:33:54Z https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/194014#M97596 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11678">@lmori</a></P> <P>your solution worked for <EM>Heartbleed.&nbsp;</EM> For threats that have no such distinctive name, would you think it's possible to use directly the threat ID?</P> <P>&nbsp;</P> <P>For instance:</P> <P>&nbsp;</P> <PRE>- contains(threat_name, '(36397)') == true</PRE> <P>&nbsp;</P> Fri, 05 Jan 2018 15:44:35 GMT https://live.paloaltonetworks.com/t5/general-topics/how-to-escape-special-characters-i-e-colon-in-miner-rule/m-p/194014#M97596 LucaMarchiori 2018-01-05T15:44:35Z