McAfee Support Community - Regex Support

kdrexler16 · ‎11-23-2012

Working on regex to parse this log format below matching on the values in bold.

Nov 17 09:39:32 ltrkar73s38.dsys.xx .net sshd2[29326]: [ID 702911 auth.notice] User e0166569 (uid 13359), coming from h45.1.102.166.ip.xx .net, authenticated.

([A-Z]{3}\s[0-9]{2})\s([0-9]{2}\:[0-9]{2}\:[0-9]{2})\s([a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+)\s([a-z0-9]+)

I cant get the values in the policy editor to highlight blue. Instead I get this error. What does this mean.

alert any any any -> any any (msg:"test";content:"authenticated"; pcre;pcre:"([A-Z]{3}\s[0-9]{2})\s([0-9]{2}\:[0-9]{2}\:[0-9]{2})\s([a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+\.[a-z0-9]+)\s([a-z0-9]+)"; nocase; adsid:777; sid:0; norm:0; severity:0; )

pcre[2] not referenced

failed to validate rule on line 1

staschler · ‎11-23-2012

The error is telling you that one of your regexes is not referenced in your field mapping. The UI won't allow you to save the custom rule until you've fully mapped the captured regex strings into SIEM database fields.

For troubleshooting your regex, you might like to try a tool like RegExe (http://gskinner.com/RegExr/). It provides excellent real-time feedback on your regex as you're building it. Right off the bat it appears that your first token "[A-Z]{3}" will likely fail to match the string "Nov", due to case mismatch.

Regex Support

Re: Regex Support