|
|
|
|
@ -870,14 +870,14 @@ PCRE extraction
|
|
|
|
|
It is possible to capture groups from the regular expression and log them into the
|
|
|
|
|
alert events.
|
|
|
|
|
|
|
|
|
|
There is 3 capabilities:
|
|
|
|
|
There are 3 capabilities:
|
|
|
|
|
|
|
|
|
|
* pkt: the extracted group is logged as pkt variable in ``metadata.pktvars``
|
|
|
|
|
* alert: the extracted group is logged to the ``alert.extra`` subobject
|
|
|
|
|
* alert: the extracted group is logged to the ``alert.context`` subobject
|
|
|
|
|
* flow: the extracted group is stored in a flow variable and end up in the ``metadata.flowvars``
|
|
|
|
|
|
|
|
|
|
To use the feature, parameters of pcre keyword need to be updated.
|
|
|
|
|
After the regular pcre regex and options, a comma separated lists of variable names.
|
|
|
|
|
After the regular pcre regex and options, a comma-separated list of variable names.
|
|
|
|
|
The prefix here is ``flow:``, ``pkt:`` or ``alert:`` and the names can contain special
|
|
|
|
|
characters now. The names map to the capturing substring expressions in order ::
|
|
|
|
|
|
|
|
|
|
@ -885,7 +885,7 @@ characters now. The names map to the capturing substring expressions in order ::
|
|
|
|
|
flow:ua/ubuntu/repo,flow:ua/ubuntu/pkg/base, \
|
|
|
|
|
flow:ua/ubuntu/pkg/version";
|
|
|
|
|
|
|
|
|
|
This would result in the alert event has something like ::
|
|
|
|
|
This would result in the alert event having something like ::
|
|
|
|
|
|
|
|
|
|
"metadata": {
|
|
|
|
|
"flowvars": [
|
|
|
|
|
@ -908,7 +908,7 @@ get the event in the alert ::
|
|
|
|
|
With that syntax, the result of the extraction will appear like ::
|
|
|
|
|
|
|
|
|
|
"alert": {
|
|
|
|
|
"extra": {
|
|
|
|
|
"context": {
|
|
|
|
|
"ua/ubuntu/repo": "fr",
|
|
|
|
|
"ua/ubuntu/pkg/base": "curl",
|
|
|
|
|
"ua/ubuntu/pkg/version": "2.2.1"
|
|
|
|
|
|
Eric Leblond
3 weeks ago
committed by
Victor Julien