Kaspersky CyberTrace
Administrator guides > Managing Kaspersky CyberTrace Web > Matching process settings > Regular expressions for popular devices

Regular expressions for popular devices

This section provides regular expressions that are to be used for parsing events issued by popular devices.

Devices of different versions can issue events of different format, so it may be that you must use other regular expressions than those provided in this section.

FireEye devices

The events from FireEye devices require the following regular expressions:

  • Events in CEF format

    Field

    Regular expression

    URL1

    filePath=([^\s]*?)\s

    URL2

    cs5=([^\s]*?)\s

    MD5

    fileHash=([^\s]*?)\s

    SrcIp

    src=([^\s]*?)\s

    DstIp

    dst=([^\s]*?)\s
  • Events in CSV format

    Field

    Regular expression

    URL1

    cnchost=([^,]*?),

    URL2

    objurl=([^,]*?),

    MD5

    fileHash=([^,]*?),

    SrcIp

    src=([^,]*?),

    DstIp

    dst=([^,]*?),

Blue Coat SG devices

The events from Blue Coat SG devices require the following regular expressions:

  • SYSLOG events

    Field

    Regular expression

    URL

    OBSERVED\s"(?:.*?)"\s(.*?)\s

    URL2

    http\s(.*?)\s\d+\s(.*?)\s

Websense devices

The events from Websense devices require the following regular expressions:

  • CEF events

    Field

    Regular expression

    URL

    request\=(.*?)(?:\s|$)

    IP address

    dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
  • LEEF events

    Field

    Regular expression

    URL

    url\=(.*?)(?:\s|$)

    IP address

    dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
  • key-value pairs

    Field

    Regular expression

    URL

    url\=(.*?)(?:\s|$)

    IP address

    dst_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

    Squid devices

The events from Squid devices require the following regular expressions:

Field

Regular expression

URL

(?:GET|POST)\s(.*?)(?:\s)

McAfee Web Gateway devices

The events from McAfee Web Gateway devices require the following regular expressions:

  • Standard events

    Field

    Regular expression

    URL

    url\=(.*?)(?:\|)

    IP address

    server_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\|)
  • CEF events

    Field

    Regular expression

    URL

    request\=(.*?)(?:\s|$)

    IP address

    dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
  • SYSLOG events

    Field

    Regular expression

    URL

    (?:GET|POST)\s(.*?)(?:\s)

Check Point URL Filtering devices

The events from Check Point URL Filtering devices require the following regular expressions:

  • SYSLOG events

    Field

    Regular expression

    IP address

    (?:dst)\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Juniper Networks SRX devices

The events from Juniper Networks SRX devices require the following regular expressions:

  • SYSLOG events

    Field

    Regular expression

    IP address

    (?:\sdestination-address)\="(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"\s

Check Point Firewall devices

The events from Check Point Firewall devices require the following regular expressions:

  • SYSLOG events

    Field

    Regular expression

    IP address

    dst\:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Palo Alto Networks devices

The events from Palo Alto Networks devices require the following regular expressions:

  • LEEF events

    Field

    Regular expression

    IP address

    dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)
  • SYSLOG events

    Field

    Regular expression

    IP address

    (?:dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
  • CEF events

    Field

    Regular expression

    IP address

    dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

Fortinet FortiGate devices

The events from Fortinet FortiGate devices require the following regular expressions:

  • SYSLOG events

    Field

    Regular expression

    IP address

    (?:dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Cisco IPS devices

The events from Cisco IPS devices require the following regular expressions:

Field

Regular expression

IP address

(?:dst.*?|to.*?|Dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Snort devices

The events from Snort devices require the following regular expressions:

  • UNIFIED2 events

    Field

    Regular expression

    IP address

    (?:destination.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
  • CSV events

    Field

    Regular expression

    IP address

    (?:.*?,.*?,.*?,.*?,)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Alternatively, you can use the following regular expressions for parsing events of all types:

Field

Regular expression

IP address

(?:destination.*?|.*?,.*?,.*?,.*?,)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Cisco IronPort devices

The events from Cisco IronPort devices require the following regular expressions:

  • SYSLOG events

    Field

    Regular expression

    URL

    (?:GET|POST)\s(.*?)\s

    IP address

    (?:NONE|DIRECT|DEFAULT_PARENT)\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Article ID: 171633, Last review: Apr 14, 2021
Page top