All Apps and Add-ons
Highlighted

"trendmicro" stanza typo in props.conf EVAL-severity expression

Path Finder

Hi,
I've installed TA-trendmicrocmcef (Control Manager) v1.0.2 and splunkd.log reported following warning message

WARN  CalcFieldProcessor - Invalid eval expression for 'EVAL-severity' in stanza [trendmicro]: The expression is malformed. Expected ).

I've analyzed and seen there's a typo in TA default/props.conf EVAL-severity expression, Information word was not quoted correctly

EVAL-severity = case(CLF_SeverityCode="0","Unknown", CLF_SeverityCode="1","Information, CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3","Error", CLF_SeverityCode="4", "Critical")

I've created a workaround in local/props.conf and pasted corrected strings for above eval expression

[trendmicro]
KV_MODE = none
REPORT-trendmicro_cef = trendmicro_cef
REPORT-cefevents = cefHeaders, tmcefKeys, cefKeys
EVAL-date = date_month+" "+date_mday+" "+date_year
EVAL-action = case((act=="File deleted" OR act=="Unable to upload file" OR act=="File cleaned" OR act=="File quarantined" OR act=="Quarantine successfully" OR act=="Action Required" OR lower(act)=="block" OR act=="File replaced" OR act=="3" OR category=="WB:36" OR ActionResult=="File cleaned" OR act=="2" OR act=="8" OR ActionResult=="Reboot system successfully"), "blocked", (act=="Unable to clean" OR act=="Unable to delete" OR act=="File passed" OR act=="Access Denied" OR act=="Encrypted" OR act=="No action" OR act="1003" OR ActionResult=="Access denied" OR lower(act)=="pass" OR ActionResult=="File passed" OR ActionResult=="Unable to clean file"),"allowed",(act like "%Unable%" OR act like "%Action Required%"), "deferred")
EVAL-severity = case(CLF_SeverityCode="0", "Unknown",  CLF_SeverityCode="1", "Information", CLF_SeverityCode="2", "Warning", CLF_SeverityCode="3", "Error", CLF_SeverityCode="4", "Critical")
EVAL-signature = if(isnotnull(VirusName),VirusName,category_detail)
EVAL-sender = case(isnotnull(shost) AND isnotnull(dhost),suser)
EVAL-dest_ip = case((isnotnull(shost) AND isnull(dhost)),src,(isnull(shost) AND isnotnull(dhost)),dst)
EVAL-dest_host = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)
FIELDALIAS-file_name = fname AS file_name
FIELDALIAS-file_path = filePath AS file_path
EVAL-product = "TrendMicro"
FIELDALIAS-product_version = VLF_PatternNumber AS product_version
EXTRACT-act = act=(?P<act>.+?) [\w\d]+=
EXTRACT-shost = shost=(?P<shost>.+?) [\w\d]+=
EXTRACT-fname = fname=(?P<fname>.+?)\s\w+=
EXTRACT-filepath = filePath=(?P<filePath>.+?)\s\w+=
EXTRACT-dhost = dhost=(?P<dhost>.+?) [\w\d]+=
FIELDALIAS-dest = dhost AS dest
FIELDALIAS-dest1 = shost AS dest

Is it possible to fix typo in next TA release?
Regards

0 Karma
Highlighted

Re: "trendmicro" stanza typo in props.conf EVAL-severity expression

Explorer

Hi. Thank you for the bugfix. For now I will update the app description to include the fix.

For future release I can correct this.

Do you happen to have any sample logs you could share with me? I developed the app with very minimal samples and would like to expand the addon if possible. But i don't have access to a Trend CM server.

Highlighted

Re: "trendmicro" stanza typo in props.conf EVAL-severity expression

Engager

Also noticing there is a problem in the props.conf with assigning the dest attribute in order to properly assign hostname values for use with the Malware Data Model in ES. If dhost has a value and shost doesn't, the logic in the original props.conf appears to overwrite dest with shost which is null. Added the following to local/props.conf which appears to have resolved it and left the default/props.conf alone. Perhaps this could be incorporated in the next release as well. Thanks

[trendmicro]
EVAL-dest = case((isnotnull(shost) AND isnull(dhost)),shost,(isnull(shost) AND isnotnull(dhost)),dhost)

View solution in original post

0 Karma