I created a custom source file to parse BRO logs. By default BRO has key names contain

hey <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url=

See <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id

Resolved by <a class="issue-link js-issue-link" data-error-text="Failed to load title"

Source file parse doesn't ignore '.' about eqllib HOT 3 CLOSED

CptOfEvilMinions commented on July 18, 2024

Source file parse doesn't ignore '.'

from eqllib.

Comments (3)

rw-access commented on July 18, 2024

hey @CptOfEvilMinions I think we've talked about this indirectly in other places but I haven't responded here. With EQL a . indicates a nested field, but I think with the bro logs the native fields were named "ip.orig_h" and "id.resp_h", which caused the problems.

This is an interesting scenario, because we currently require all field names to match a-zA-Z][a-zA-Z0-9_]*
https://github.com/endgameinc/eql/blob/aa55970fd57996aed7519a8eda94c3fe472d15c2/eql/etc/eql.ebnf#L231

Since . already means something in EQL, there are a few ways we could do this:

One option is to escape all characters that don't match that regex. id\.orig_h.
Another option is to use the string syntax and do something like this ["id.orig_h"].

Then your EQL queries would look like one of these

network where id\.orig_h == "192.168.1.1"
network where ["id.orig_h"] == "192.168.1.1"
network where .["id.orig_h"] == "192.168.1.1"

Also since your blog, it should be a lot easier to make your own schema, and EQL will autodetect it from your JSON file if you use the new interactive shell

Any preferences for the syntax?

from eqllib.

rw-access commented on July 18, 2024

See endgameinc/eql#15

from eqllib.

rw-access commented on July 18, 2024

Resolved by endgameinc/eql#19

from eqllib.

Recommend Projects