FIRE A complex RULE in mitigator, including setup of the rule from plain vanilla Silvertail config

This example will show you how to build a complex attribute, a rule, and trigger it via cURL.

example will show [some new attribute using a new regular expression], prove or deny your [rule/attribute/expression] works or not

Setup Required: 1 installed silvertail machine and 1 web server that can return a completed transaction.  All you need is a web server target, no real pages configured,

 and the expected response is 'http 405 method not allowed'. This error response is all that is needed (any response really) and Silvertail will write a transaction.

...almost any web server will do that.

---------------------------------------------------------------------------------------------------------------------------------

What this example will show:  Curl will fire a transaction, and Silvertail will pull dollars and cents out of a specific location in a

transaction ARG and fire a syslog alert if the money amount is greater than 0.

---------------------------------------------------------------------------------------------------------------------------------

MACHINE SETUP:

silvertail IP is: 10.101.99.153 centos6 and has all components running (machine class all-in-one or 'all-no-varz with actionserver' added)

website IP is: 10.101.99.144 running IIS and a default page on port 80

---------------------these steps are detailed but we don't get into an exhaustive explanation of every single piece--------------------

CONFIG STEPS:

a) create a syslog action  (as a bonus, this example shows how to build an Arcsight style syslog (CEF format))

go to silvercat and edit ActionServer

syslog [0]

name arcsightalert, facility user, priority info,

format: exactly this entire line (they don't all have to be like this, but for this curl tutorial, do this)

CEF:0|Silver Tail Systems|Forensics|1.0|STS:100|Rule %(rule.name)s fired|10|msg=%(rule.name)s src=%(ip)s duser=%(username)s cs1=%(attribute.name)s cs1Label=Attribute Name cs2=%(attribute.value)s cs2Label=Attribute Value cs3=%(rule.date)s cs3Label=Rule Date request=%(pagename)s act=%(rule.action)s categorySignificance=/Informational/Alert

Save

b) create a new attribute (this shows a standard regex use case)

silvercat, schema, edit, add a new attribute

id: curltestattribute (this is any name you want, and will be used in the rule later on)

atomic

class D

type ARGS

name my_money_amount   (literally the name here is what will be inside the transaction)

Matcher

Match [0]

regEx: (?i)%7C(MARGIN|CASH)%7C([-]?[0-9]+\.[0-9][0-9]+)%7C    (I am not going to explain regular expressions here, but this looks for dollars and cents and fractional amounts between specific words)

yes, Expr: $2

no, 0

Save, review changes and push, push

c) Create a new rule that will fire when a transaction is seen, and ARG my_money_amount [attribute 'curltestattribute'] is greater than zero

admin UI, rules, mitigator, add rule

 rule name: testcurl

URLs rule will apply to /

trigger condition: curltestattribute.asNumber() > 0

take action: arcsightalert&flag

save the rule, save changes

d) Now the curl part

on the silvertail machine (assume silvertap can see port 80 traffic)

curl -k --data "srlp=&transfer_mode=&transfer_date=&my_money_amount=63773719%7CDojun%7CCUSTODIAL%7CCASH%7C26.69%7CEABCDE+Brokerage" http://10.101.99.144:80

This will fire a request and create a transaction with several ARGS silvertail will be able to sort. The my_money_amount ARG has data which the attribute 'curltestattribute' regex will pull

the money (26.69) out and then your rule will see that 26.69 is more than zero, and will trigger action server to send output to syslog.