Source > Regular expression

Defines a regular expression for an event source.

Path

Domains > Domain > InputSettings > RegExps > Source > %RegexpName%

This element has the name of the regular expression.

Attributes

This element has the following attributes.

%RegexpName% element attributes

Attribute

Description

type

Specifies the type of value that is extracted by this regular expression.

Possible values:

  • URL—URL
  • MD5—MD5 hash
  • SHA1—SHA1 hash
  • SHA256—SHA256 hash
  • HASH—MD5, SHA1, or SHA256 hash
  • IP—IP address
  • DOMAIN—domain name
  • CONTEXT—context information

This attribute is optional. If it is omitted, the default CONTEXT value is used.

extract

Specifies how multiple values that matched a regular expression must be extracted.

Possible values are all and first.

The all value specifies that all values that match a regular expression must be extracted. For every matched value, a separate detection alert is generated.

The first value specifies that only the first value that matches a regular expression must be extracted.

concatenate

Sets a rule for creating a compound value from data extracted from an event.

use_for_retroscan

Specifies if the extracted value that matched a specified regular expression must be used for a retrospective scan.

If the extracted value must be used for the retrospective scan, the value of this attribute is true.

If the extracted value must not be used for the retrospective scan, the value of this attribute is false.

Value

This element contains a Boost regular expression.

Example

The following is an example of this element.

<RE_MD5 type="MD5" extract="all" use_for_retroscan="false">([\da-fA-F]{32})</RE_MD5>

Page top