6 Replies Latest reply on Apr 8, 2013 8:01 AM by kcole

    custom rule PCRE and string replace

      Hi,

       

      Can I use Mcafee SIEM's normalization rules (pcre based) to not to match but to replace? For example I have a log file containing important information but with a custom rule i want to first match and then replace it (For example log files I am normalizing can contain CC-Credit Card-) or first replace and then match fields using PCRE on Mcafee SIEM custom rule editor?

       

      PS: With this i want to Mask some certain fileds so SIEM DB wont contain sensitive information which normally appear if i use match (group) only.

       

      Regards

        • 1. Re: custom rule PCRE and string replace
          grant_babb

          The way to do this in the product today is with Data Enrichment.  You can get to it from the System Properties dialog.  When you add a new data enrichment, you get a box with three tabs.  The first tab changes the options on the next two, so it is important that you select "string literal" and "string literal".  This will work fine for your use case..

          regex_main.png

          Next you need to put in the regex.  I didn't have one handy for credit cards but not a hard one to come by.

          regex_source.png

          This also allows you to test your regex.

          Now you need to map the enrichment, on the destination tab.

          regex_destination.png

          Here I used Object, but you need to use whatever field you mapped the value into (maybe a custom type?).

           

          You also select the device(s) that will use the enrichment here.

           

          You should check the documentation on Data Enrichment, but basically it allows to you to modify a value of one field and replace that value or overwrite the value of another field.

           

          Cheers,

          Grant

          • 2. Re: custom rule PCRE and string replace

            Thank you Grant I will try it.

            • 3. Re: custom rule PCRE and string replace

              A CC regex is (Just hoping it will help someone else)

               

              An easier way is to replace all , and - by an empty string before proceeding.

              Thanks to @Michael's comment, here's a regex that matches Visa, MasterCard, American Express, Diners Club, Discover, and JCB cards:

              ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\d{3})\d{11})$

               

               

               

              http://stackoverflow.com/questions/9315647/regex-credit-card-number-tests

              • 4. Re: custom rule PCRE and string replace

                data_enrichment_Source_no_regex.png

                 

                Hi,

                 

                On data enrichment wizard, on Source tab there is no Regular Expression type ? I am using 9.1.3 20130214. Am I missing something here? I have looked at the documentation (I already used String Literal for Lookup type)

                 

                c.Enter the field type of the key column in the select query in the Lookup Type field.

                embim1  If you want to use a Perl-compatible regular expression (PCRE) expression as the source for the data enrichment, you need to select String Literal in the Lookup Type field.

                 

                 

                Untitled.png

                 



                • 5. Re: custom rule PCRE and string replace

                  Just in case there is a problem with my computer. I have tried with 2 different computers and 3 different browser result is the same

                  • 6. Re: custom rule PCRE and string replace
                    kcole

                    This is a 9.2 feature so you will need to be on a 9.2 version.