User manual JUNIPER NETWORKS JUNIPER NETWORKS STRM TECHNICAL NOTE REV 6-2008

[. . . ] For example: <pattern id="Protocol" case-insensitive="true" xmlns=""> <![CDATA[(tcp|udp|icmp|gre)]]></pattern> Where (tcp|udp|icmp|gre) is the actual regular expression pattern. Release 2008. 2 2 The extension document allows you to parse a device's payload. Within the extension document you can include statements of varying degrees of complexity, as required to parse the desired information. Understanding Extension Document Elements Patterns This section explains the two main divisions of the extension document: · · Patterns Match Groups Rather than associating a regular expression directly with a particular field name, patterns (patterns) are declared separately at the top of the extension document and can be subsequently referenced multiple times within the file. Table 1 Pattern Parameters Parameter id (Required) case-insensitive (Optional) trim-whitespace (Optional) Description Specify a regular string that is unique within the extension document. Specify if you wish the pattern to ignore character case when doing a match, for example abc is the same as ABC. Specify if you wish the pattern to ignore white space and carriage returns. [. . . ] STRM detects timestamps in the following formats: · Valid syslog timestamp in the form of mm dd hh:mm:ss, for example: Jan 13 12:33:10 Current locale timestamp · Any other formats will not properly convert. Release 2008. 2 6 Table 4 Matcher Field Names (continued) Field Name Protocol Description Specify the protocol associated with the event; for example, TCP, UDP, or ICMP. If a protocol is not properly parsed out of a message, ports that were parsed may not appear in STRM (it only displays ports for port-based protocols). UserName HostName GroupName NetBIOSName Specify the user name associated with the event. This field is usually only associated with identity events. Single-Event Modifier (event-match-single) Single-event modifier (event-match-single) matches (and subsequently modifies) exactly one type of event, as specified by the required, case-sensitive EventName parameter. This entity allows mutation of successful events by changing the device event category, severity, or the method for sending identity events. When events matching this event name are parsed, the device category, severity, and identity properties are imposed upon the resulting event. An event-match-single entity consists of three optional properties: Table 5 Single-Event Modifier Parameters Parameter Description device-event-category Specify a new category for searching in the QID for the event. This is an optimizing parameter, since some devices have the same category for all events. If a severity of less than 1 or greater than 10 is specified, the system defaults to 5. If not specified, the default is whatever is found in the QID. Release 2008. 2 Creating Extension Documents 7 Table 5 Single-Event Modifier Parameters (continued) Parameter send-identity Description Specifies the sending of identity change information from the event. Choose one of the following options: · UseDSMResults ­ If the DSM returns an identity event, the event is passed on. If the DSM does not return an identity event, the DSM does not create or modify the identity information. SendIfAbsent ­ If the DSM creates identity information, the identity event is passed through unaffected. If no identity event is produced by the DSM, but there is enough information in the event to create an identity event, an event is generated with all the relevant fields set. OverrideAndAlwaysSend ­ Ignores any identity event returned by the DSM and creates a new identity event, if there is enough information. OverrideAndNeverSend ­ Suppress any identity information returned by the DSM. · · · Multi-Event Modifier (event-match-multiple) The multi-event modifier (event-match-multiple) matches a range of event types (and subsequently modifies) as specified by the pattern-id parameter and the capture-group-index parameter. Note: This match is not run against the payload, but is run against the results of the EventName matcher previously parsed out of the payload. This entity allows mutation of successful events by changing the device event category, severity, or the method the event uses to send identity events. The information that was necessary to create this configuration that was not available from the event: · · · The event name is only the last six digits (302015) of the %FWSM-session-0-302015 portion of the event. The FWSM uses the Cisco Pix QID and therefore includes the device-type-id-override="6" parameter in the match group (the Pix firewall's device type ID is 6, see Table 6). If the QID information is not specified or is unavailable, you can modify the event mapping using the Event Viewer. For more information, see the Modifying Event Mapping section in the STRM Users Guide. An event name and a device event category is required when looking for the event in the QID. This device event category is a grouping parameter within the database that helps define like events within a device. [. . . ] The following example uses multiple capture groups with one pattern: pattern id="SourceIPColonPort" xmlns=""><![CDATA[Source=(\d{1, 3}\. \d{1, 3}\. \d{1, 3}\. \d{1, 3}):([\d]{1, 5})]]></pattern> <matcher field="SourceIp" order="1" pattern-id="SourceIPColonPort" capture-group="1" /> <matcher field="SourcePort" order="1" pattern-id="SourceIPColonPort" capture-group="2" /> Modifying an Event Category A device event category may be hard-coded, or the severity needs to be adjusted. The following example adjusts the severity for a single event type: <event-match-single event-name="TheEvent" device-event-category="Actual Category" severity="6" send-identity="UseDSMResults" /> Modifying Multiple Event Categories The following example is similar to the above single event example, except that this example matches all event codes starting with 7 and followed by one to five digits: <pattern id="EventNameId" xmlns=""><![CDATA[(7\d{1, 5})]]></pattern> <event-match-multiple pattern-id="EventNameId" capture-group-index="1" device-event-category="Actual Category" severity="6" send-identity="UseDSMResults"/> Suppressing Identity Change Events A DSM may unnecessarily send identity change events. The following is two examples; one is a method of how to suppress identity change events from being sent from a single event type. [. . . ]