Working on regex to parse this log format below matching on the values in bold.
Nov 17 09:39:32 ltrkar73s38.dsys.xx .net sshd2[29326]: [ID 702911 auth.notice] User e0166569 (uid 13359), coming from h45.1.102.166.ip.xx .net, authenticated.
([A-Z]{3}\s[0-9]{2})\s([0-9]{2}\:[0-9]{2}\:[0-9]{2})\s([a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+)\s([a-z0-9]+)
I cant get the values in the policy editor to highlight blue. Instead I get this error. What does this mean.
alert any any any -> any any (msg:"test";content:"authenticated"; pcre;pcre:"([A-Z]{3}\s[0-9]{2})\s([0-9]{2}\:[0-9]{2}\:[0-9]{2})\s([a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+)\s([a-z0-9]+)"; nocase; adsid:777; sid:0; norm:0; severity:0; )
pcre[2] not referenced
failed to validate rule on line 1