Regular expressions for popular devices

This section provides regular expressions that are to be used for parsing events issued by popular devices.

Devices of different versions can issue events of different format, so it may be that you must use other regular expressions than those provided in this section.

FireEye devices

The events from FireEye® devices require the following regular expressions:

• Events in CEF format

  Field	Regular expression
  URL1	filePath=([^\s]*?)\s
  URL2	cs5=([^\s]*?)\s
  MD5	fileHash=([^\s]*?)\s
  SrcIp	src=([^\s]*?)\s
  DstIp	dst=([^\s]*?)\s

• Events in CSV format

  Field	Regular expression
  URL1	cnchost=([^,]*?),
  URL2	objurl=([^,]*?),
  MD5	fileHash=([^,]*?),
  SrcIp	src=([^,]*?),
  DstIp	dst=([^,]*?),

Blue Coat® SG devices

The events from Blue Coat SG devices require the following regular expressions:

• SYSLOG events

  Field	Regular expression
  URL	OBSERVED\s"(?:.*?)"\s(.*?)\s
  URL2	http\s(.*?)\s\d+\s(.*?)\s

Websense devices

The events from Websense devices require the following regular expressions:

• CEF events

  Field	Regular expression
  URL	request\=(.*?)(?:\s|$)
  IP address	dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

• LEEF events

  Field	Regular expression
  URL	url\=(.*?)(?:\s|$)
  IP address	dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

• key-value pairs

  Field	Regular expression
  URL	url\=(.*?)(?:\s|$)
  IP address	dst_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

  Squid devices

The events from Squid devices require the following regular expressions:

Field	Regular expression
URL	(?:GET|POST)\s(.*?)(?:\s)

McAfee Web Gateway devices

The events from McAfee® Web Gateway devices require the following regular expressions:

• Standard events

  Field	Regular expression
  URL	url\=(.*?)(?:\|)
  IP address	server_ip\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\|)

• CEF events

  Field	Regular expression
  URL	request\=(.*?)(?:\s|$)
  IP address	dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

• SYSLOG events

  Field	Regular expression
  URL	(?:GET|POST)\s(.*?)(?:\s)

Check Point URL Filtering devices

The events from Check Point URL Filtering devices require the following regular expressions:

• SYSLOG events

  Field	Regular expression
  IP address	(?:dst)\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Juniper Networks SRX devices

The events from Juniper Networks® SRX devices require the following regular expressions:

• SYSLOG events

  Field	Regular expression
  IP address	(?:\sdestination-address)\="(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"\s

Check Point Firewall devices

The events from Check Point Firewall devices require the following regular expressions:

• SYSLOG events

  Field	Regular expression
  IP address	dst\:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Palo Alto Networks devices

The events from Palo Alto Networks devices require the following regular expressions:

• LEEF events

  Field	Regular expression
  IP address	dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

• SYSLOG events

  Field	Regular expression
  IP address	(?:dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

• CEF events

  Field	Regular expression
  IP address	dst\=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\s|$)

Fortinet FortiGate devices

The events from Fortinet FortiGate devices require the following regular expressions:

• SYSLOG events

  Field	Regular expression
  IP address	(?:dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Cisco IPS devices

The events from Cisco® IPS devices require the following regular expressions:

Field	Regular expression
IP address	(?:dst.*?|to.*?|Dst.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Snort devices

The events from Snort® devices require the following regular expressions:

• UNIFIED2 events

  Field	Regular expression
  IP address	(?:destination.*?)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

• CSV events

  Field	Regular expression
  IP address	(?:.*?,.*?,.*?,.*?,)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Alternatively, you can use the following regular expressions for parsing events of all types:

Field	Regular expression
IP address	(?:destination.*?|.*?,.*?,.*?,.*?,)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Cisco IronPort devices

The events from Cisco IronPort® devices require the following regular expressions:

• SYSLOG events

  Field	Regular expression
  URL	(?:GET|POST)\s(.*?)\s
  IP address	(?:NONE|DIRECT|DEFAULT_PARENT)\/(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Page top