Hi All,

Are there any tools/scripts anyone has written that will convert regex to patterndb types of matches?

So, given some rewrite rule from the "old" way of doing it, convert that rule to a pdb file.

Like:

 

filter f_asa { match(

  '(.*?):?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*?)(\).*?)?:?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*?)(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*)'

  value("MESSAGE") type("pcre") flags("store-matches" "ignore-case")

   );

 

rewrite rw_cisco {

set( "$1 SourceIP: $2 SourcePort:$3 $4 $5DestIP: $6 DestPort:$7 $8 SourceIP: $9 SourcePort:$10 $11" , value("MESSAGE") condition(filter(f_asa)));

};

 

Convert to something like:

<pattern>%ASA-6-305011: Built dynamic TCP translation from inside:@IPv4:src_ip@/@NUMBER:src_port@ to Outside:@IPv4:dst_ip@/@NUMBER:dst_port@</pattern>

 

 

Note: the above is just an example, the regex may not be the same as the actual <pattern> - I just copy pasted from different files to show an example.