cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
573
Views
0
Helpful
1
Replies

Getting a "constant" value into a custom parser

alec.waters
Level 1
Level 1

Hello,

I have written several custom parsers, all of which extract source/dest IP and port from raw messages. They're all working fine in that respect.

What I need is for the MARS to also parse out the "protocol" value, which isn't present in the messages as they apply exclusively to TCP traffic. Can I have the MARS match on some arbitrary string and put a constant into the "protocol" field, rather than attempt to parse it out from the raw message?

many thanks,

alec

1 Reply 1

umedryk
Level 5
Level 5

The Parsed Field is one of fields of a MARS event that has been fully parsed.

Custom Parser: Patterns not displayed in the correct order it is bug.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.2/user/guide/local_controller/cfgcustm.pdf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: