Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1 Manual page 205

The table below details the regular expression to successfully search and parse
the event message for the UNIX Firewall used in this example.
Table 84-2 Regular Expressions
Event Name
Source IP
Destination IP
Source Port
Destination Port
Protocol
User Name
Host Name
Source Mac Address 00:01:23:45:67:89 (not available)
<Destination Mac
Address>
<Netbios Name>
<Group Name>
<Severity>
<Device Time>
<Source IP Pre
NAT>
<Destination IP Pre
NAT>
<Source IP Post
NAT>
<Destination IP Post
NAT>
<Destination Port
Post NAT>
<Destination Port Pre
NAT>
<Source Port Pre
NAT>
<Source Port Post
NAT>
Configuring DSMs Guide
Firewall Accept Firewall Deny
Record Record
pass block
172.16.11.240 172.16.165.146
172.16.11.240 172.16.169.126
1844 53
6080 1026
(not available) (not available)
John Doe (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
(not available) (not available)
Universal DSM Example
Regular Expressions
\s(pass)\s & \s(block)\s
\s(\d+\.\d+\.\d+\.\d+)\.
\>\s(\d+\.\d+\.\d+\.\d+)\.
\.(\d+)\s\>\s
\.(\d+)\:\s
user=\"([^\"]+)\"
(not available)
[0-9a-fA-F][0-9a-fA-F]
[:\-][0-9a-fA-F][0-9a-fA-F]
[:\-][0-9a-fA-F][0-9a-fA-F]
[:\-][0-9a-fA-F][0-9a-fA-F]
[:\-][0-9a-fA-F][0-9a-fA-F]
[:\-][0-9a-fA-F][0-9a-fA-F]
(not available)
(not available)
(not available)
(not available)
(\w{3} \d{2}
\d{1,2}\:\d{2}\:\d{2})\.\d+
(not available)
(not available)
(not available)
(not available)
(not available)
(not available)
(not available)
(not available)
199