flexconnector - regex pfsense

Photo posted by emanuelpalmeira on Aug 4, 2016

Hello, my name is Emanuel Palmeira, iam currently using arcsight regex tool to create a flexconnector for pfsense logs, and i have yellow in message and submessage, and S.M.Pattern does not turn red. For some reason it is not working. I will paste the code here, maybe someone already had that kind of problem.

 

raw log for each pattern:

S.M.Pattern[0] : <134>Jul 12 15:05:47 filterlog: 99,16777216,,1464185881,re1,match,pass,in,4,0x0,,126,31382,0,none,17,udp,85,1.1.1.1,2.2.2.2,4909,53,65

S.M.Pattern[1] : <134>Jul 12 15:05:47 filterlog: 99,16777216,,1464185881,re1,match,pass,in,4,0x0,,62,55891,0,DF,6,tcp,60,1.1.1.1,2.2.2.2,17938,443,0,S,1229475840,,14600,,mss;sackOK;TS;nop;wscale

S.M.Pattern[2] : <134>Jul 12 15:05:47 filterlog: 99,16777216,,1464185881,re1,match,pass,in,4,0x0,,125,26193,0,DF,6,tcp,52,1.1.1.1,2.2.2.2,20476,443,0,S,2900331658,,8192,,mss;nop;wscale;nop;nop;sackOK

 

FlexAgent Regex Configuration File

# FlexAgent Regex Configuration File

do.unparsed.events=true

 

regex=<(\\d*)>(\\w+) (\\d*) (\\d*\:\\d*\:\\d*) (filterlog)\: (\\d*),(\\d*),(.*),(\\d*),(\\w+),(match),(pass|block),(in|out),(\\d*),((\\d*)x(\\d*)),(.*),(\\d*),(\\d*),(\\d*),(\\w*),(\\d*),(udp|tcp|icmp),(\\d*),(\\d*\\.\\d*\\.\\d*\\.\\d*),(\\d*\\.\\d*\\.\\d*\\.\\d*),(.*)

 

token.count=28

 

token[0].name=LogEntry

token[0].type=String

 

token[1].name=month

token[1].type=String

 

token[2].name=day

token[2].type=Integer

 

token[3].name=time

token[3].type=Time

 

token[4].name=log

token[4].type=String

 

token[5].name=RuleNumber

token[5].type=Integer

 

token[6].name=SubRuleNumber

token[6].type=Integer

 

token[7].name=Anchor

token[7].type=String

 

token[8].name=Tracker

token[8].type=Integer

 

token[9].name=RealInterface

token[9].type=String

 

token[10].name=ReasonForLogEntry

token[10].type=String

 

token[11].name=actionTakenResultedInLogEntry

token[11].type=String

 

token[12].name=directionOfTraffic

token[12].type=String

 

token[13].name=ipVersion

token[13].type=Integer

 

token[14].name=TypeofServiceIdentification

token[14].type=String

 

token[15].name=TypeofService1

token[15].type=Integer

 

token[16].name=TypeofService2

token[16].type=Integer

 

token[17].name=explicitCongestionNotification

token[17].type=String

 

token[18].name=timetoLiveofthePacket

token[18].type=Integer

 

token[19].name=IDofThePacket

token[19].type=Integer

 

token[20].name=FragmentOffset

token[20].type=Integer

 

token21].name=IPFlags

token[21].type=String

 

token[22].name=ProtocolId

token[22].type=Integer

 

token[23].name=ProtocolText

token[23].type=String

 

token[24].name=lenght

token[24].type=Integer

 

token[25].name=SourceAddress

token[25].type=IPAddress

 

token[26].name=TargetAddress

token[26].type=IPAddress

 

token[27].name=resto

token[27].type=String

 

submessage.messageid.token=ProtocolId

submessage.token=resto

 

event.deviceCustomNumber2=RuleNumber

event.deviceCustomNumber1=lenght

event.deviceAction=actionTakenResultedInLogEntry

event.deviceVendor=__stringConstant(pfsense)

event.deviceProduct=__stringConstant(pfsense)

event.destinationAddress=__numberToAddress(TargetAddress)

event.deviceCustomString1Label=ProtocolText

event.deviceDirection=__ifThenElse(directionOfTraffic,"in",0,1)

event.sourceAddress=__numberToAddress(SourceAddress)

 

severity.map.veryhigh.if.deviceSeverity=0,1

severity.map.high.if.deviceSeverity=2,3

severity.map.medium.if.deviceSeverity=4,5

severity.map.low.if.deviceSeverity=6,7

 

#l10n.filename.prefix=

 

submessage.count=3

 

submessage[0].messageid=6

submessage[0].pattern.count=2

submessage[0].pattern[0].regex=

submessage[0].pattern[0].fields=event.name

 

submessage[0].pattern[1].regex=(\\d+),(\\d+\\.\\d+\\.\\d+\\.\\d+),(\\d+\\.\\d+\\.\\d+\\.\\d+),(\\d+),(\\d+),(\\d+),(S|A|.|F|R|P|U|E|W),(\\d+),(.*),(\\d+),(.*),(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS);(mss|nop|wscale|sackOK|TS)

submessage[0].pattern[1].fields=event.name

 

submessage[1].messageid=17

submessage[1].pattern.count=1

submessage[1].pattern[0].regex=(\\d+),(\\d+),(\\d+)

submessage[1].pattern[0].fields=event.deviceCustomNumber1,event.deviceCustomNumber3,event.destinationPort

submessage[1].pattern[0].types=Integer,Integer,Integer

submessage[1].pattern[0].mappings=$1|$3|$2

 

# Default submessage descriptor

submessage[2].pattern.count=3

submessage[2].pattern[0].regex=

submessage[2].pattern[0].fields=event.name

 

submessage[2].pattern[1].regex=(\\d+),(\\d+),(\\d+),(S|A|.|F|R|P|U|E|W),(\\d+),(.*),(\\d+),(.*),(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(wscale|mss|sackOK|TS|nop)

submessage[2].pattern[1].fields=event.destinationPort,event.deviceCustomString2,event.deviceCustomString3,event.deviceCustomString4,event.deviceCustomString5,event.deviceCustomString6,event.deviceCustomString1Label,event.deviceCustomString2Label,event.deviceCustomString3Label,event.deviceCustomString4Label,event.fileSize

submessage[2].pattern[1].names=$1,$2,$3,$4,$5,$7,$9,$10,$11,$12,$13

submessage[2].pattern[1].mappings=$2|$3|$4|$5|$7|$9|$10|$11|$12|$13|$1

 

submessage[2].pattern[2].regex=(\\d*),(\\d*),(\\d*),(S|A|.|F|R|P|U|E|W),(\\d*),(.*),(\\d*),(.*),(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale);(mss|sackOK|TS|nop|wscale)

submessage[2].pattern[2].fields=event.fileSize,event.destinationPort,event.deviceCustomNumber1,event.devceCustomNumber1Label,event.deviceCustomNumber2,event.deviceCustomString2,event.deviceCustomString2Label,event.deviceCustomString3,event.deviceCustomString3Label,event.deviceCustomString4,event.deviceCustomString4Label,event.deviceInboundInterface

submessage[2].pattern[2].names=$1,$2,$3,$4,$5,$7,$9,$10,$11,$12,$13,$14

submessage[2].pattern[2].mappings=$1|$2|$3|$5|$7|$9|$10|$11|$12|$13|$14|$4

 

Thank you

Best regards

Emanuel Palmeira

Photo Details

  • File size
  • 46.9 KB
  • Photo size
  • 1427x818

Outcomes