New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ability to correlate dynamic fields between events #2689
Conversation
src/analysisd/eventinfo.c
Outdated
@@ -75,22 +76,74 @@ Eventinfo *Search_LastSids(Eventinfo *my_lf, RuleInfo *rule, __attribute__((unus | |||
/* Check for same ID */ | |||
if (rule->context_opts & SAME_ID) { | |||
if ((!lf->id) || (!my_lf->id)) { | |||
continue; | |||
goto next_it; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we don't need these goto
.
src/analysisd/eventinfo.c
Outdated
i = 0; | ||
while (rule->same_fields[i]) { | ||
found = 0; | ||
for (j = 0; j < my_lf->nfields; j++) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please optimize this algorithm: each for
will iterate over all the fields even after matching a field.
Surely you can use break
and found
to achieve it.
847d468
to
7e56ec2
Compare
662a880
to
a6e095a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
I ran ossec-logtest and ossec-analysisd with Valgrind and a bunch of input logs.
Cheers @chemamartinez !
Hey, |
The 3.9 release introduced the same_field and not_same_field to the rules syntax in [PR 2689](wazuh/wazuh#2689).
This PR aims to solve the use case of #2531 and cover the misfunction reported at #2524.
Description
Two options have been added to the rule options:
same_field
: It matches when the value of a dynamic field from an incoming event is the same as the one of a previous event which matched the same rule.not_same_field
: The same case but when the value is different between both events.Use case
Here we can see a simple example of using these two new options:
Rule 10002 matches when the third network inventory scan reports the same MAC address for the interface
ens33
but the amount of received packets has changed between events. Here we have the associated alert:Valgrind report
It has been tested by using
valgrind
on the Analysis daemon and this is the result:Lost memory is related to known issues when creating the child threads.