196
U
DSM
NIVERSAL
Using Device
Extensions
Universal DSM
Example
You can use a regular expression calculator to verify that a regular expression
search pattern functions properly against the event string being parsed. You can
down load a commonly used freeware Windows-based regular expression
calculator from: http://www.silveragesoftware.com/rxl.html.
If you are running STRM 6.1.2 or above, we recommend that you use device
extensions to associate a Universal DSM to devices.
Device extensions allow you to immediately extend parsing routines. You can
configure device extension information using the sensor devices window in the
STRM Administration Console. For information about device extensions, see
Managing Sensor Devices Guide.
Note: If you are running STRM 6.1.1 or earlier, see the following sections for
information on configuring your Universal DSM.
This section provides an example of a Universal DSM. This example includes a
simple software-based UNIX firewall. This UNIX firewall creates two critical syslog
messages (firewall accept and firewall deny) suitable for STRM to parse. For
example:
Firewall Accept example-> Jun 09 16:50:43.813005 rule
669/(match) user="john doe" pass in on em1: 172.16.11.240.1844 >
172.16.53.34.6080: S 2744116838:2744116838(0) win 16384
mss1460,nop,nop,sackOK> 00:01:23:45:67:89 > 01:22:33:44:55:66
Firewall Deny example -> Mar 26 22:06:16.057139 rule 0/0(match):
block in on rl0: 172.16.165.146.53 > 172.16.169.126.1026: 1024
update
The Universal DSM supports the parsing of Event Name, Source IP Address,
Destination IP Address, Source Port, Destination Port, and Protocol from within
event messages. When building a Universal DSM, the first goal is to analyze the
available event messages and isolate which of the data fields are actually
contained within the messages. In this UNIX firewall example, the syslog
messages contain data for all of the fields except for Protocol, as displayed in the
table below:
Table 84-1 Example of Messages
Event Name
Source IP Address
Destination IP
Address
Source Port
Configuring DSMs Guide
Firewall Accept Record
pass
172.16.11.240
172.16.53.34
1844
Firewall Deny Record
block
172.16.165.146
172.16.169.126
53