RSA Admin

Regex in alertfilter

Discussion created by RSA Admin Employee on Mar 2, 2010
Latest reply on Mar 11, 2010 by Charles Beierle
dcoswald
Posts: 35
Registered: 02-12-2009
0
 
Using Regex for IP address 

I am trying to use a regex in an alert filter and need a little guidance. First I can use the regex in the Analysis message view and I get the results I want, although when I use the filter in my alert I get nothing.

 

Here is what I am looking for

 

Pix Firewall message 106023 and port 8081, unfortunately the only message variables that are available for the filter do not include lport or fport. So I am using [content] regex  ([0-9]{1,3}\.){3,3}[0-9]{1,3}\/8081 and I have also tried localaddr and foreign address with the same regex.

 

Anyone have an idea why this works in the analysis view and not in Alert filters?

Outcomes