Fleet Admiral Fleet Admiral
Fleet Admiral
633 views

McAfee ePO - Source Adress empty but in Device Custom IPv6 Address2 - Parser Override

Jump to solution

Hello Community,

I want to deploy a parser override for McAfee ePO to populate IpV4 source address from IPv6 adress.

The IP address is looking like this: ::FFFF:1.2.3.4

1. Parser Location

.../current/user/agent/fcp/epo_db/virusscan4_5_virusscan.sdkibdatabase.properties

2. Parser Regex

event.sourceAddress=__regexToken(sourceipv6,"(?:::ffff:)?(\\d+\\.\\d+\\.\\d+\\.\\d+)")

But this would override everytime, what do I need to use if I want to override the source address only in case it is empty?

Thx, Volker

Labels (2)
0 Likes
1 Solution

Accepted Solutions
Fleet Admiral Fleet Admiral
Fleet Admiral

I don't know how the data gets populated into deviceCustomIPv6Address1 (Your screenshot is cutoff so I'll assume 1)

Since we know the data is somehow in there, try using a map file:

map.0.properties

-------------------------

set.expr(deviceCustomIPv6Address1).event.sourceAddress

"__numberToAddress(__getIPv4AddressEmbeddedInIPv6Address(deviceCustomIPv6Address1))"

View solution in original post

0 Likes
6 Replies
Fleet Admiral Fleet Admiral
Fleet Admiral

event.sourceAddress=__oneOfAddress(__integerToAddressMcAfee(sourceaddress),__numberToAddress(getIPv4AddressEmbeddedInIPv6Address(sourceipv6)))

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

For some reason it's not taking the parser file, am I doing something wrong with the name?

virusscan4_5_virusscan.sdkibdatabase.properties

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

needs to be in:

$AGENT_DIR/current/user/agent/fcp/epo_db/virusscan/4_5_virusscan.sdkibdatabase.properties

you should see it being read from in agent.log

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Hello Shaun,

now it reads the parser ovverride:

ContentInputStreamOverrides[0]...............12/21/15 3:27 PM: [/opt/arcsight/connectors/connector_7/current/user/agent/fcp/epo_db/virusscan/4_5_virusscan.sdkibdatabase.properties] augments [epo_db/virusscan/4_5_virusscan.sdkibdatabase.properties] for AUP type [fcp] and ID [3n7UojFEBABDoOUyPFWXxww==]

however the Attacker Address is still empty:

Any idea?

Volker

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

I don't know how the data gets populated into deviceCustomIPv6Address1 (Your screenshot is cutoff so I'll assume 1)

Since we know the data is somehow in there, try using a map file:

map.0.properties

-------------------------

set.expr(deviceCustomIPv6Address1).event.sourceAddress

"__numberToAddress(__getIPv4AddressEmbeddedInIPv6Address(deviceCustomIPv6Address1))"

View solution in original post

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

Hello Shaun,

thanks a lot the worked perfectly.

It was deviceCustomIPv6Address2.

Volker

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.