I've been playing with Alienvault and wanted to create alarms based on certain conditions based on events in userdata fields. There are articles and discussions about using FIND: and REGEX: in the directives that should allow me to do searches in strings for these fields however I cannot get them to work.
For example find a string adminarea in userdata5 which is the path of the URL to trigger alert I am adding "FIND:adminarea" to the userdata5 field or "REGEX:*adminarea*" and neither seem to work:
Plenty of examples and discussions about this functionality however no luck and hoping someone know what i'm doing wrong. Have looked at the XML for these rules and looks to be correct with USERDATA5=FIND:adminarea" however cannot find any examples from the default configs of this in action by greping existing XML of rules for similar.