IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
  • 1.  Help in the DSM Editor with Regex

    Posted Thu January 20, 2022 11:01 AM
    Hello,

    I need help with the DSM editor to analyze a field of the USER-AGENT. My problem is that the USER-AGENT changes the value and like a find to generic for the parser. Example:

    User-Agent: Mozilla/5.0 (Linux; U; Android 10; es-es; Redmi Note 7 Build/QKQ1.190910.002) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/89.0.4389.116 Mobile Safari/537.36 XiaoMi/MiuiBrowser/12.21.0-gn\r\n
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Edg/97.0.1072.62\r\n

    I am looking for a way to do it in a generic way, I have created 4 expressions and 3 of them have been disabled in Qradar because it consumes too many resources.

    Thanks!!!

    ------------------------------
    cristian librero
    ------------------------------


  • 2.  RE: Help in the DSM Editor with Regex

    Posted Fri January 21, 2022 06:18 PM

    Hello Cristian,

    Is there another field that comes after the User-Agent field? If so you can use it as a "perimeter" for the capture, like so:

    User-Agent: (.*?) Next-Field:

    Cheers


    Colin



    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 3.  RE: Help in the DSM Editor with Regex

    Posted Mon January 24, 2022 07:04 AM
    Hello Colin,

    Yes that's true, but my problem is that the characters "\r" and "\n" are not removed so the parsing is not done correctly.

    I needed without the characters /r and /n

    Thanks.

    Regards.

    ------------------------------
    cristian librero
    ------------------------------



  • 4.  RE: Help in the DSM Editor with Regex

    Posted Mon January 24, 2022 08:57 AM
      |   view attached
    Hello Colin,

    This is result of your expression in Regex.

    Sorry, It isn't useful. :(

    Thanks.

    ------------------------------
    cristian librero
    ------------------------------



  • 5.  RE: Help in the DSM Editor with Regex

    Posted Mon January 24, 2022 01:44 PM
    That's because you didn't include the next field. The User-Agent field is followed by the Accept field, so use a regex like this:

    User-Agent: (.*?)Accept:

    Or since you want to remove the \r\n characters, do this:

    User-Agent: (.*?)\r\nAccept:

    Cheers

    Colin

    ------------------------------
    COLIN HAY
    IBM Security
    ------------------------------



  • 6.  RE: Help in the DSM Editor with Regex

    Posted Mon February 14, 2022 06:34 PM
    You should be able to work off of the \r alone, without the Accept:.  Depending on exactly what's in the log, you might need to escape the backslash.  So, one of these should work:

    User-Agent: (.*?)\r
    User-Agent: (.*?)\\r

    The critical thing is to use (.*?) instead of (.*).  That allows the regex parser to match the first substring that works, instead of trying for the biggest.  An even better way to do it is like this:

    User-Agent: ([^\r]*)

    This tells the regex parser to take all non-\r characters and stop when it sees one or the end of the log entry.

    ------------------------------
    Dan Zerkle
    ------------------------------