CB Response: Ingress Filter for Filemod_filters not working as expected
book
Article ID: 287992
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
When doing an ingress filter for filemod_filter the server still gets hits
Environment
- Carbon Black Response Server: 6.x and above
Resolution
- json expects 4 backslashes "\" when doing a regular expression against a filemod path. path_filters and filter_all_events should be added also
- In this example we will filter out any filemods that have "helloworld" in the filename and within C:\users\cb\desktop\
-
curl -k -XPOST -H "X-Auth-Token:cb4a6c3ee2683e7aaf7a67009f0d05754a7d33ab" -H "Content-Type: application/json" "https://localhost/api/v1/ingress_whitelist" -d '
[
{ "id": "filemodtest",
"priority": 0,
"enabled": true,
"filter_on_server": true,
"track_metrics": true,
"os_mask": 1,
"global": true,
"path_filters":["*"],
"filter_all_events": false,
"group_ids": [],
"sensor_ids": [],
"filemod_filters": ["rx|.*users\\\\cb\\\\desktop\\\\helloword*"] }
]'
Additional Information
- "filter_all_events":false is used in order to only filter the filemod and not the process containing the filemod
Feedback
thumb_up
Yes
thumb_down
No