Wildcard for Autocat in Squert

27 views
Skip to first unread message

Christian

unread,
Mar 5, 2021, 8:32:36 AM3/5/21
to security-onion
Hi,

how do I use a Wildcard in Squert for "Autocat"ing Alerts?

I tried every possible combination from TCL Regex, Normal RegEx, ... and can't find the right syntax.

Example: I want to escalate each Event with MALWARE and CnC in it to F9
%%REGEXP%%MALWARE*CnC doesn't work, , + * ... also don't work.

Is this even possible?

BR
Chris

Christian

unread,
Mar 9, 2021, 11:59:47 AM3/9/21
to security-onion
Hi Doug & Wes,

any Input on this Question?

Thanks & BR
Chris

Doug Burks

unread,
Mar 10, 2021, 5:23:33 PM3/10/21
to securit...@googlegroups.com
Have you tried a dot before the star like this?

%%REGEXP%%MALWARE.*CnC

You might also try using the Autocat Builder in the Sguil client.

Please keep in mind that Security Onion 16.04 reaches End Of Life next month.

--
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/9e544e28-54d5-4f82-a2ed-56eccbc0796en%40googlegroups.com.


--
Doug Burks
Founder and CEO
Security Onion Solutions, LLC

Christian

unread,
Mar 12, 2021, 4:30:21 AM3/12/21
to security-onion
Hi Doug,

yes I have tried it with .* and also with .+ but nothings seems to work.
OK thank you - i will try the Autocat Builder in Sguil.

BR
Chris

Christian

unread,
Mar 15, 2021, 11:26:52 AM3/15/21
to security-onion
Hi Doug,

the SGUIL Autocat also only refers to TCL Regex, but nothing from TCL Regex seems to work correctly.
Any other Ideas, how we can use Wildcards?

BR
Chris

Steven Malm

unread,
Mar 15, 2021, 10:12:28 PM3/15/21
to securit...@googlegroups.com
How about,  %%REGEXP%%(MALWARE).*(CnC)



Reply all
Reply to author
Forward
0 new messages