How to use indexOf()

triggers

#1

What indexOf is and how it works.

The javascript method

indexOf(<match string>);

is a fast and easy way to test for the presence of a string. It
works on two data types: arrays (lists), and strings. To put it another way,
indexOf() allows you to ask, for example:

“Hey, in this data, is there a match for x?”

It’s generally dead simple to use, but it’s good to know the gotchas and specifics.

Let’s look at that now.

What indexOf() does.

The indexOf() method searches some text or a list of things (an array) for what you tell it to look for. If it’s there, it’ll return the offset - or the location
of the match - in the string or the array. If there’s no match, it’ll return -1.

We’ll start with strings.

Using indexOf() to check for the presence of a string.

var uri = HTTP.uri; // grab the uri. Here, 'www.extrahop.com';

// Now, let's look for the string 'extrahop' in the URI. If it's there, log it.
// Remember: if we get -1 back, there's no match. Any other value is a match.

// "Hey triggers, is the word 'extrahop' anywhere in the URI?"
if(uri.indexOf('extrahop') > -1) log('I found extrahop!'); // Yep, it's there.

One thing to note: indexOf() is case sensitive. Be on the lookout for this. For example:

if(uri.indexOf(‘Extrahop’) > -1) { log(‘I found Extrahop’)
} else {
log(‘No match - because of capital E’);
} // notice the capital “E”.

If you think that you’ll run into mixed-case strings, you can fix it easily by ‘normalizing’ to upper or lowercase:

if(uri.toLowerCase().indexOf('extrahop') > -1) log('Match! Everything is lower case.');

Notice how we just ‘chained’ calls: first, we made everything lower case. Then, we did our search. String methods are great, eh?

Lastly, we’ll talk about arrays. Let’s take a common use case: let’s see if there’s a port that has been hit on a server, and compare that to a list of allowed ports. The security use case here is pretty obvious - you can often think of Extrahop as a continus, always-on auditing platform :slight_smile:

A simple way to do this would be:

/* 
Event: TCP_OPEN
Use Case: Log attempts to connect to non-authorized ports.
Key trigger feature: indexOf() to search for allowed ports.
*/

// These ports are allowed. Anything else should be flagged.
var allowed_ports = [ 80, 443, 22, 8080, 1521]; 

// Now all we need to do is, for any connection that is opened, match it
// against this list.

var client = Flow.client.ipaddr; // Client's IP
var server = Flow.server.ipaddr; // Server's IP
var port = Flow.server.port; // The port the server has a connection on.

// If we get -1, we know for sure the port isn't in our list. 
// indexOf() makes this easy.
if(allowed_ports.indexOf(port) == -1){
	log(
		"Non authorized port access from: " + client 
		+ " to: " + server + " on " + port
		);
} else {
	// this connection is allowed, so exit.
	return;
}

While this trigger isn’t totally complete - we’d really want to create an access count and details so we can throw alerts on this - note how easily
we’ve built a skeleton for a custom continuous auditing solution. If someone connects to a non-authorized port, we’ll know about it.

Conclusion.

This post focused on using the handy indexOf() method as a matching tool to test for the presence of things in arrays or strings. It’s one of the most commonly used tools in the arsenal. Hopefully this will help you both understand and use it.

If you have any questions please feel free to comment!

–Matt Cauthorn