RSA enVision^® Discussions

RSAAdmin · ‎2010-03-02

Posts: 35

Registered: 02-12-2009

Using Regex for IP address

I am trying to use a regex in an alert filter and need a little guidance. First I can use the regex in the Analysis message view and I get the results I want, although when I use the filter in my alert I get nothing.

Here is what I am looking for

Pix Firewall message 106023 and port 8081, unfortunately the only message variables that are available for the filter do not include lport or fport. So I am using [content] regex ([0-9]{1,3}\.){3,3}[0-9]{1,3}\/8081 and I have also tried localaddr and foreign address with the same regex.

Anyone have an idea why this works in the analysis view and not in Alert filters?

RSAAdmin · ‎2010-03-07

I ran into this as well....The RSA Tech I spoke to suggested going to SP3...But I can only find SP1 and SP2 on https://rsasecurity.subscribenet.com/control/rsai/download
I'm curious as to what the fix for your issue is.

Good Luck,

RSAAdmin · ‎2010-03-08

I have created a simple correlation rule and used the regex in botha filter content and watchlist and it works. I am not sure why a simple view did not work, try the correlation rule and see if that works for you.

CharlesBeierle · ‎2010-03-11

SP3 was pulled off the site but has since been reposted. I don't know that it will solve your issue. If it does please post back to let everyone know that it did.

RSA enVision® Discussions

Regex in alertfilter

RSA enVision^® Discussions