Juniper NETWORKS STRM - TECHNICAL NOTE REV 6-2008 Скачать руководство пользователя страница 12 | Manualshive

Страница: 12 / 16

background image

Release 2008.2

12

If the dashes are removed from the pattern, the pattern converts a MAC address
with no separators. If spaces are inserted, the pattern converts a space-separated
MAC address, and so on.

Combining IP Address and Port

Typically an IP address and port are combined in one field, separated by a colon or
a slash. The following example uses multiple capture groups with one pattern:

pattern id="SourceIPColonPort" xmlns=""><!

[CDATA[Source=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):([\d]{1,5})]]></pattern>

<matcher field="SourceIp" order="1" pattern-id="SourceIPColonPort" capture-group="1"

/>

<matcher field="SourcePort" order="1" pattern-id="SourceIPColonPort"

capture-group="2" />

Modifying an Event Category

A device event category may be hard-coded, or the severity needs to be adjusted.
The following example adjusts the severity for a single event type:

<event-match-single event-name="TheEvent" device-event-category="Actual Category"

severity="6" send-identity="UseDSMResults" />

Modifying Multiple Event Categories

The following example is similar to the above single event example, except that
this example matches all event codes starting with

7

and followed by one to five

digits:

<pattern id="EventNameId" xmlns=""><![CDATA[(7\d{1,5})]]></pattern>

<event-match-multiple pattern-id="EventNameId" capture-group-index="1"

device-event-category="Actual Category" severity="6" send-identity="UseDSMResults"/>

Suppressing Identity Change Events

A DSM may unnecessarily send identity change events. The following is two
examples; one is a method of how to suppress identity change events from being
sent from a single event type. The other is a method of how to suppress identity
change events from being sent from a group of events.

// Never send identity for the event with an EventName of “Authen OK”

<event-match-single event-name="Authen OK" device-event-category="ACS" severity="6"

send-identity="OverrideAndNeverSend" />

// Never send any identity for an event with an event name starting with 7, followed

by one to five other digits:

<pattern id="EventNameId" xmlns=""><![CDATA[(7\d{1,5})]]></pattern>

<event-match-multiple pattern-id="EventNameId" capture-group-index="1"

device-event-category="Cisco Firewall" severity="7"

send-identity="OverrideAndNeverSend"/>

«
...
10
11
12
13
14
...
»

Содержание NETWORKS STRM - TECHNICAL NOTE REV 6-2008

Страница 1: ...to various device types Using an extension document you can resolve parsing issues such as Fixing an event that has missing or incorrect fields for example if the username is not being parsed Completi...

Страница 2: ...ch groups may appear in the extension document Table 1 Pattern Parameters Parameter Description id Required Specify a regular string that is unique within the extension document case insensitive Optio...

Страница 3: ...st be a valid device type ID represented as an integer A list of device type IDs is presented in Table 6 If not specified this parameter defaults to the device type of the device to which the extensio...

Страница 4: ...nted with a straight group capture You can combine multiple groups together with extra text to form a value This parameter enables that behavior This parameter changes the meaning of the capture group...

Страница 5: ...ource MAC address for the message SourcePortPreNAT Specify the source port for the message before NAT occurs SourcePortPostNAT Specify the source port for the message after NAT occurs DestinationIp Sp...

Страница 6: ...port based protocols UserName Specify the user name associated with the event HostName Specify the host name associated with the event This field is usually only associated with identity events GroupN...

Страница 7: ...ation on creating extension documents including Writing a Complete Extension Document Uploading Extension Documents Solving Specific Parsing Issues send identity Specifies the sending of identity chan...

Страница 8: ...ld could use the exact same pattern in this case this may not be true in all FWSM events xml version 1 0 encoding UTF 8 device extension xmlns event_parsing device_extension pattern id EventNameFWSM x...

Страница 9: ...l The FWSM uses the Cisco Pix QID and therefore includes the device type id override 6 parameter in the match group the Pix firewall s device type ID is 6 see Table 6 If the QID information is not spe...

Страница 10: ...ce of TCP UDP ICMP or GRE the pattern is marked with the case insensitive parameter so that any occurrence matches Note You must search for the protocol when writing extension documents as STRM may no...

Страница 11: ...The following is an example of a straight substitution that parses the source IP address and then overrides the result and sets the IP address to 10 100 100 100 ignoring the IP address in the payload...

Страница 12: ...llowing example is similar to the above single event example except that this example matches all event codes starting with 7 and followed by one to five digits pattern id EventNameId xmlns CDATA 7 d...

Страница 13: ...x login messages 12 WindowsAuthServer Windows Security Event Log 13 IIS Windows IIS Webserver logs 14 Iptables Linux iptables Firewall 15 Proventia ISS Proventia Device 16 Classify Q1Labs Classify Eng...

Страница 14: ...niper Infranet Controller 60 PDSN Sprint PoC PDSN 61 RNC Sprint PoC RNC 62 BTS Sprint PoC BTS 63 ACS Cisco ACS 64 JuniperRouter Juniper Router 65 Sprint Sprint PoC 66 CallManager Cisco Call Manager 67...

Страница 15: ...Nortel Switched Firewall 6000 105 Q1Labs QRadar Q1Labs QRadar 106 3Com 8800 Series Switch 3Com 8800 Series Switch 107 Nortel VPN Gateway Nortel VPN Gateway 108 NortelTPS Nortel Threat Protection Intru...

Страница 16: ...trademarks or registered service marks in this document are the property of Juniper Networks or their respective owners All specifications are subject to change without notice Juniper Networks assumes...

Отзывы:

Нет отзывов

Похожие инструкции для NETWORKS STRM - TECHNICAL NOTE REV 6-2008

Бренд: Extreme Networks Страницы: 546

ExtremeWare 7.5

Бренд: Extreme Networks Страницы: 2546

Smart Wireless Navigator

Бренд: Emerson Страницы: 22

Бренд: Emerson Страницы: 130

drivers for video card

Бренд: EVGA Страницы: 23

PCoIP Technology

Бренд: EVGA Страницы: 27

225A1-05A111-1001 - AutoCAD Electrical 2009

Бренд: Autodesk Страницы: 255

ENTERPRISE LINUX AS 2.1 -

Бренд: Red Hat Страницы: 210

ENTERPRISE LINUX 5.3 - RELEASE MANIFEST

Бренд: Red Hat Страницы: 240

Бренд: Picsel Страницы: 23

SECURITY 5.5 - FOR PDA

Бренд: KAPERSKY Страницы: 66

ZVM - FOR LINUX V6 RELEASE 1

Бренд: IBM Страницы: 172

Gatekeeper/Border Controller API D14172.01

Бренд: TANDBERG Страницы: 84

Digital Vintage Reverb DVR2

Бренд: TC Electronic Страницы: 16

Бренд: DAVIS Страницы: 116

Бренд: NEC Страницы: 6

Бренд: Canon Страницы: 92

Бренд: Brother Страницы: 33

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды