Wildcard for Autocat in Squert

[Christian]

Hi,

how do I use a Wildcard in Squert for "Autocat"ing Alerts?

I tried every possible combination from TCL Regex, Normal RegEx, ... and can't find the right syntax.

Example: I want to escalate each Event with MALWARE and CnC in it to F9

%%REGEXP%%MALWARE*CnC doesn't work, , + * ... also don't work.

Is this even possible?

BR
Chris

[Christian]

Hi Doug & Wes,

any Input on this Question?

Thanks & BR
Chris

[Doug Burks]

Have you tried a dot before the star like this?

%%REGEXP%%MALWARE.*CnC

You might also try using the Autocat Builder in the Sguil client.

Please keep in mind that Security Onion 16.04 reaches End Of Life next month.

--
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/9e544e28-54d5-4f82-a2ed-56eccbc0796en%40googlegroups.com.

--

Doug Burks
Founder and CEO
Security Onion Solutions, LLC

[Christian]

Hi Doug,

yes I have tried it with .* and also with .+ but nothings seems to work.

OK thank you - i will try the Autocat Builder in Sguil.

BR
Chris

[Christian]

Hi Doug,

the SGUIL Autocat also only refers to TCL Regex, but nothing from TCL Regex seems to work correctly.

Any other Ideas, how we can use Wildcards?

BR
Chris

[Steven Malm]

How about,  %%REGEXP%%(MALWARE).*(CnC)

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/65a594b0-c6d4-4e7e-bc9f-6c93aa5cbcb1n%40googlegroups.com.