IBM Security QRadar

 View Only

  • 1.  Help in the DSM Editor with Regex

    Posted Thu January 20, 2022 11:01 AM
    Hello,

    I need help with the DSM editor to analyze a field of the USER-AGENT. My problem is that the USER-AGENT changes the value and like a find to generic for the parser. Example:

    User-Agent: Mozilla/5.0 (Linux; U; Android 10; es-es; Redmi Note 7 Build/QKQ1.190910.002) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/89.0.4389.116 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.21.0-gn\r\n
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.62\r\n

    I am looking for a way to do it in a generic way, I have created 4 expressions and 3 of them have been disabled in Qradar because it consumes too many resources.

    Thanks!!!

    ------------------------------
    cristian librero
    ------------------------------


  • 2.  RE: Help in the DSM Editor with Regex

    Posted Fri January 21, 2022 06:18 PM

    Hello Cristian,

    Is there another field that comes after the User-Agent field? If so you can use it as a "perimeter" for the capture, like so:

    User-Agent: (.*?) Next-Field:

    Cheers


    Colin



    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message


  • 3.  RE: Help in the DSM Editor with Regex

    Posted Mon January 24, 2022 07:04 AM
    Hello Colin,

    Yes that's true, but my problem is that the characters "\r" and "\n" are not removed so the parsing is not done correctly.

    I needed without the characters /r and /n

    Thanks.

    Regards.

    ------------------------------
    cristian librero
    ------------------------------

    Original Message


  • 4.  RE: Help in the DSM Editor with Regex

    Posted Mon January 24, 2022 08:57 AM
      |   view attached
    Hello Colin,

    This is result of your expression in Regex.

    Sorry, It isn't useful. :(

    Thanks.

    ------------------------------
    cristian librero
    ------------------------------

    Original Message


  • 5.  RE: Help in the DSM Editor with Regex

    Posted Mon January 24, 2022 01:44 PM
    That's because you didn't include the next field. The User-Agent field is followed by the Accept field, so use a regex like this:

    User-Agent: (.*?)Accept:

    Or since you want to remove the \r\n characters, do this:

    User-Agent: (.*?)\r\nAccept:

    Cheers

    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------

    Original Message


  • 6.  RE: Help in the DSM Editor with Regex

    Posted Mon February 14, 2022 06:34 PM
    You should be able to work off of the \r alone, without the Accept:.  Depending on exactly what's in the log, you might need to escape the backslash.  So, one of these should work:

    User-Agent: (.*?)\r
    User-Agent: (.*?)\\r

    The critical thing is to use (.*?) instead of (.*).  That allows the regex parser to match the first substring that works, instead of trying for the biggest.  An even better way to do it is like this:

    User-Agent: ([^\r]*)

    This tells the regex parser to take all non-\r characters and stop when it sees one or the end of the log entry.

    ------------------------------
    Dan Zerkle
    ------------------------------

    Original Message