Field should be referenced as part of the possible "Value" comparison #168
Replies: 4 comments 1 reply
-
|
There already exists a modifier to reference another field: However, it only works for " It does not have to be this way, though. This should work and would not require new syntax or new modifiers: detection:
selection:
requestBytes|gte|fieldref: responseBytes
condition: selectionThis reads as "the number of requestBytes is greater or equal to the number of responseBytes" |
Beta Was this translation helpful? Give feedback.
-
|
great will close this one |
Beta Was this translation helpful? Give feedback.
-
|
closing as the basic use case is supported. |
Beta Was this translation helpful? Give feedback.
-
|
I don't think this should be closed, as the current implementation is very basic and should/could be improved |
Beta Was this translation helpful? Give feedback.
-
|
will keep it open so we can discuss improvements for future implementations! |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
This may have been previously asked or mentioned in #52.
It's pretty common to have rules that require comparison (with all supported operators) between fields for the same event.
Currently, we are using some extension that if the "Value" match a FieldName if will be changed appropriately.
(In this "sample" syntax any string that starts with <,<,!=,=,<=,>= will be evaluated for a subsequent field name, but nothing prevent to use the same value replacement like cs-bytes|gte: "myField" , except for types check [int, string, etc])
Use cases would include:
-> connections with more traffic sent that received
-> A low integrity process spawning a high integrity process
-> etc, etc..
Example:
I'm just proposing the feature here, not the final syntax, but can work on that if there's agreement about this need.
Beta Was this translation helpful? Give feedback.
All reactions