CB Response: Ingress Filter for Filemod_filters not working as expected
Article ID: 287992
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When doing an ingress filter for filemod_filter the server still gets hits
Environment
- Carbon Black Response Server: 6.x and above
Cause
Incorrect syntax
Resolution
- json expects 4 backslashes "\" when doing a regular expression against a filemod path. path_filters and filter_all_events should be added also
- In this example we will filter out any filemods that have "helloworld" in the filename and within C:\users\cb\desktop\
-
curl -k -XPOST -H "X-Auth-Token:cb4a6c3ee2683e7aaf7a67009f0d05754a7d33ab" -H "Content-Type: application/json" "https://localhost/api/v1/ingress_whitelist" -d ' [ { "id": "filemodtest", "priority": 0, "enabled": true, "filter_on_server": true, "track_metrics": true, "os_mask": 1, "global": true, "path_filters":["*"], "filter_all_events": false, "group_ids": [], "sensor_ids": [], "filemod_filters": ["rx|.*users\\\\cb\\\\desktop\\\\helloword*"] } ]'
Additional Information
- "filter_all_events":false is used in order to only filter the filemod and not the process containing the filemod
Feedback
Yes
No
Powered by
