Source > Regular expression

concatenate

Sets a rule for creating a compound value from data extracted from an event.

extract

The extract attribute specifies how multiple values that matched a regular expression must be extracted.

Possible values are all and first.

The all value specifies that all values that match a regular expression must be extracted. For every matched value, a separate detection event is generated.

The first value specifies that only the first value that matches a regular expression must be extracted.

type

Specifies the type of value that is extracted by this regular expression.

Possible values:

• URL—URL address
• MD5—MD5 hash
• SHA1—SHA1 hash
• SHA256—SHA256 hash
• HASH—MD5, SHA1, or SHA256 hash
• IP—IP address
• DOMAIN—domain name
• CONTEXT—context information

This attribute is optional. If it is omitted, the default CONTEXT value is used.

use_for_retroscan

Specifies if the extracted value that matched a specified regular expression must be used for a retrospective scan.

If the extracted value must be used for the retrospective scan, the value of this attribute is true.

If the extracted value must not be used for the retrospective scan, the value of this attribute is false.

This attribute cannot be used within elements where the RegExps > Source > id attribute is set for the http_file_lookup or http_single_lookup event sources.

<RE_MD5 type="MD5" use_for_retroscan="true" extract="all">([\da-fA-F]{32})</RE_MD5>