Release 2008.2
Creating Extension Documents
11
Solving Specific
Parsing Issues
This section provides you with XML examples that can be used when resolving
specific parsing issues that may arise:
•
Converting a Protocol
•
Making a Single Substitution
•
Generating Colon-Separated MAC Address
•
Combining IP Address and Port
•
Modifying an Event Category
•
Modifying Multiple Event Categories
•
Suppressing Identity Change Events
Converting a Protocol
The following example shows a typical protocol conversion that searches for TCP,
UDP, ICMP or GRE anywhere in the payload, surrounded by any word boundary
(for example, tab, space, end-of-line). Also, character case is ignored:
<pattern id="Protocol" case-insensitive="true"
xmlns=""><![CDATA[\b(tcp|udp|icmp|gre)\b]]> </pattern>
<matcher field="Protocol" order="1" pattern-id="Protocol" capture-group="1" />
Making a Single Substitution
The following is an example of a straight substitution that parses the source IP
address, and then overrides the result and sets the IP address to 10.100.100.100,
ignoring the IP address in the payload. The example assumes that the source IP
address matches something similar to SrcAddress=10.3.111.33 followed by a
comma:
<pattern id="SourceIp_AuthenOK" xmlns="">
<![CDATA[SrcAddress=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),]]></pattern
>
<matcher field="SourceIp" order="1" pattern-id="SourceIp_AuthenOK"
capture-group="100.100.100.100" enable-substitutions="true"/>
Generating Colon-Separated MAC Address
STRM detects MAC addresses in a colon-separated form. Since all devices do not
use this form, the following example shows how to correct that situation:
<pattern id="SourceMACWithDashes"
xmlns=""><![CDATA[SourceMAC=([0-9a-fA-F]{2})-([0-9a-fA-F]{2})-([0-9a-fA-F]{2})-([0-9
a-fA-F]{2})-([0-9a-fA-F]{2})-([0-9a-fA-F]{2})]]></pattern>
<matcher field="SourceMAC" order="1" pattern-id=" SourceMACWithDashes"
capture-group="\1:\2:\3:\4:\5:\6" />
In the above example
SourceMAC=12-34-56-78-90-AB
is converted to a MAC
address of
12:34:56:78:90:AB
.
