Convert rewrite rules (regex) to patterndb
Hi All, Are there any tools/scripts anyone has written that will convert regex to patterndb types of matches? So, given some rewrite rule from the "old" way of doing it, convert that rule to a pdb file. Like: filter f_asa { match( '(.*?):?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*?)(\).*?)?:?(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*?)(\d{1,3}+\.\d{1,3}+\.\d{1,3}+\.\d{1,3}+)\/(\d+)(.*)' value("MESSAGE") type("pcre") flags("store-matches" "ignore-case") ); rewrite rw_cisco { set( "$1 SourceIP: $2 SourcePort:$3 $4 $5DestIP: $6 DestPort:$7 $8 SourceIP: $9 SourcePort:$10 $11" , value("MESSAGE") condition(filter(f_asa))); }; Convert to something like: <pattern>%ASA-6-305011: Built dynamic TCP translation from inside:@IPv4:src_ip@/@NUMBER:src_port@ to Outside:@IPv4:dst_ip@/@NUMBER:dst_port@</pattern> Note: the above is just an example, the regex may not be the same as the actual <pattern> - I just copy pasted from different files to show an example. [cid:image001.png@01D27730.889CAAF0]
Hi Clayton, On Wed, Jan 25, 2017 at 10:29:08PM +0000, Clayton Dukes wrote:
Are there any tools/scripts anyone has written that will convert regex to patterndb types of matches? So, given some rewrite rule from the "old" way of doing it, convert that rule to a pdb file.
I'm afraid the two are too semantically different to automatize the process. That being said, there is a `@PCRE@` pattern that might help, but as far as I can remeber it won't capture groups. Cheers
That one captures the entire match as one name value pair. But I guess @NUMBER@ parser would be useful. On Jan 26, 2017 08:24, "Fabien Wernli" <wernli@in2p3.fr> wrote:
Hi Clayton,
On Wed, Jan 25, 2017 at 10:29:08PM +0000, Clayton Dukes wrote:
Are there any tools/scripts anyone has written that will convert regex to patterndb types of matches? So, given some rewrite rule from the "old" way of doing it, convert that rule to a pdb file.
I'm afraid the two are too semantically different to automatize the process. That being said, there is a `@PCRE@` pattern that might help, but as far as I can remeber it won't capture groups.
Cheers
____________________________________________________________ __________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/? product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Thanks for the info guys, we'll try to work something out on our end. From: syslog-ng <syslog-ng-bounces@lists.balabit.hu> on behalf of Balazs Scheidler <bazsi77@gmail.com> Reply-To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Date: Thursday, January 26, 2017 at 2:48 AM To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu>, Fabien Wernli <wernli@in2p3.fr> Subject: Re: [syslog-ng] Convert rewrite rules (regex) to patterndb That one captures the entire match as one name value pair. But I guess @NUMBER@ parser would be useful. On Jan 26, 2017 08:24, "Fabien Wernli" <wernli@in2p3.fr<mailto:wernli@in2p3.fr>> wrote: Hi Clayton, On Wed, Jan 25, 2017 at 10:29:08PM +0000, Clayton Dukes wrote:
Are there any tools/scripts anyone has written that will convert regex to patterndb types of matches? So, given some rewrite rule from the "old" way of doing it, convert that rule to a pdb file.
I'm afraid the two are too semantically different to automatize the process. That being said, there is a `@PCRE@` pattern that might help, but as far as I can remeber it won't capture groups. Cheers ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Clayton Dukes
-
Fabien Wernli