Troubleshooting
Problem
Frequent errors in qradar.error like "Exception in rule <ruleID_number> - <rule_name>: Failed to parse IP address: <some_nonIP_value>"
For example,
[ecs-ep.ecs-ep] [CRE Processor [15]] com.q1labs.semsources.cre.CustomRule: [ERROR] [NOT:0000003000][xxx.xxx.xxx.xxx/- -] [-/- -]Exception in rule 123456 - My Rule Name: Failed to parse IP address: user0001
For example,
[ecs-ep.ecs-ep] [CRE Processor [15]] com.q1labs.semsources.cre.CustomRule: [ERROR] [NOT:0000003000][xxx.xxx.xxx.xxx/- -] [-/- -]Exception in rule 123456 - My Rule Name: Failed to parse IP address: user0001
Symptom
Error logging grows rapidly, potentially increasing disk usage quickly on
/var/log/ partition.Cause
QRadar® cannot test a property containing string or numeric data against a reference set containing IP data.
Environment
QRadar® 7.3.x and greater
Diagnosing The Problem
Review the Custom Rule described in the error message for any tests matching this template:
and when any|all of these properties are contained in any|all of reference sets
For example,
and when any of Hostname, Source IP are contained in any of MyHostnameRefSet - AlphaNumeric, MyIPRefSet - IP
In this example, there is a property, Hostname, which contains string data, but we are attempting to compare to a reference set containing IP data, MyIPRefSet - IP.
Resolving The Problem
Rewrite the rule test so that only IP-type properties are compared to IP reference sets.
In the case where you need to consider multiple properties matching multiple reference set, use multiple building blocks and a Rule to build a "and when events match any of these rules" test.
For example,
In the Custom Rule "MyRule", we are comparing non-IP data in the Username property to the IP reference set MyIPRefSet, and need to rework the test to correctly handle the OR condition implied here.
and when any of Hostname, Source IP are contained in any of MyHostnameRefSet - AlphaNumeric, MyIPRefSet - IP
In the case where you need to consider multiple properties matching multiple reference set, use multiple building blocks and a Rule to build a "and when events match any of these rules" test.
For example,
In the Custom Rule "MyRule", we are comparing non-IP data in the Username property to the IP reference set MyIPRefSet, and need to rework the test to correctly handle the OR condition implied here.
and when any of Hostname, Source IP are contained in any of MyHostnameRefSet - AlphaNumeric, MyIPRefSet - IP
- Create 2 separate Building Blocks. We call them MyBB1 and MyBB2 for the example:
- MyBB1 would include the test:
and when any of Hostname are contained in any of MyHostnameRefSet - Alphanumeric - MyBB2 would include the test:
and when any of Source IP are contained in any of MyIPRefSet - IP
- MyBB1 would include the test:
- Replace the original test in MyRule with a new test from the template:
and when an event matches any|all of the following rules
Configured as follows:
and when an event matches any of the following MyBB1, MyBB2
Note: The Building Blocks still need to follow best practice guidance concerning efficient test ordering, and add extra tests as needed to make the Building Blocks more efficient.
Related Information
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000GncCAAS","label":"QRadar-\u003ERules"}],"ARM Case Number":"TS003627121","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
22 August 2022
UID
ibm16205035