Release 2008.2
10
a dash and then the true event name as expected by STRM. The only string with a
capture group (that is, bounded by parenthesis) is this pattern of digits
(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
.
The IP addresses and ports for the event all follow the same basic pattern: an IP
address followed by a slash followed by the numeric port number. This pattern
parses two pieces of data (the IP address and the port), and specifies different
capture groups in the matcher section.
<matcher field="SourceIp" order="1" pattern-id="SourceIp" capture-group="1" />
<matcher field="SourcePort" order="1" pattern-id="SourceIp" capture-group="2" />
Thus, the IP address/port patterns are four sets of one to three digits, separated by
periods followed by a slash and the port number. The IP address section is in a
group, as is the port number (but not the slash). As was previously mentioned, the
matcher sections for these fields reference the same pattern name, but a different
capture group (the IP address is group 1 and the port is group 2).
The protocol is a common pattern that searches the payload for the first instance of
TCP, UDP, ICMP, or GRE (the pattern is marked with the case-insensitive
parameter so that any occurrence matches).
Note: You must search for the protocol when writing extension documents, as
STRM may not display port numbers if the event is not based on a port-based
protocol. See
Converting a Protocol
for an example of how to search for a protocol.
Although a second protocol pattern does not occur in the event being used as an
example, there is a second protocol pattern defined with an order of two. If the
lowest-ordered protocol pattern does not match, the next one is attempted (and so
on). The second protocol pattern also demonstrates the concept of a direct
substitution; there are no match groups in the pattern, but with the
enable-substitutions parameter enabled, the text TCP can be used in place of
protocol=6.
Uploading Extension
Documents
Multiple extension documents can be created, uploaded, and associated to various
device types. Extension documents can be stored anywhere prior to uploading to
STRM. When you select an extension document for uploading, STRM validates
the document against the internal XSD. STRM also verifies the validity of the
document before uploading to the system. For more information about device
extensions, see
Managing Sensor Devices Guide
.
