This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
Volker Michels
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-12-18 13:26
633 views

McAfee ePO - Source Adress empty but in Device Custom IPv6 Address2 - Parser Override

Jump to solution

Hello Community,

I want to deploy a parser override for McAfee ePO to populate IpV4 source address from IPv6 adress.

The IP address is looking like this: ::FFFF:1.2.3.4

1. Parser Location

.../current/user/agent/fcp/epo_db/virusscan4_5_virusscan.sdkibdatabase.properties

2. Parser Regex

event.sourceAddress=__regexToken(sourceipv6,"(?:::ffff:)?(\\d+\\.\\d+\\.\\d+\\.\\d+)")

But this would override everytime, what do I need to use if I want to override the source address only in case it is empty?

Thx, Volker

Labels (2)
0 Likes
Reply
Report Inappropriate Content
1 Solution

Accepted Solutions
Shaun
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-12-21 18:21

Jump to solution

I don't know how the data gets populated into deviceCustomIPv6Address1 (Your screenshot is cutoff so I'll assume 1)

Since we know the data is somehow in there, try using a map file:

map.0.properties

-------------------------

set.expr(deviceCustomIPv6Address1).event.sourceAddress

"__numberToAddress(__getIPv4AddressEmbeddedInIPv6Address(deviceCustomIPv6Address1))"

View solution in original post

0 Likes
Reply
Report Inappropriate Content
6 Replies
Shaun
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-12-18 15:39

Jump to solution

event.sourceAddress=__oneOfAddress(__integerToAddressMcAfee(sourceaddress),__numberToAddress(getIPv4AddressEmbeddedInIPv6Address(sourceipv6)))

0 Likes
Reply
Report Inappropriate Content
Volker Michels
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-12-18 16:18

Jump to solution

For some reason it's not taking the parser file, am I doing something wrong with the name?

virusscan4_5_virusscan.sdkibdatabase.properties

0 Likes
Reply
Report Inappropriate Content
Shaun
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-12-18 18:01

Jump to solution

needs to be in:

$AGENT_DIR/current/user/agent/fcp/epo_db/virusscan/4_5_virusscan.sdkibdatabase.properties

you should see it being read from in agent.log

0 Likes
Reply
Report Inappropriate Content
Volker Michels
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-12-21 14:40

Jump to solution

Hello Shaun,

now it reads the parser ovverride:

ContentInputStreamOverrides[0]...............12/21/15 3:27 PM: [/opt/arcsight/connectors/connector_7/current/user/agent/fcp/epo_db/virusscan/4_5_virusscan.sdkibdatabase.properties] augments [epo_db/virusscan/4_5_virusscan.sdkibdatabase.properties] for AUP type [fcp] and ID [3n7UojFEBABDoOUyPFWXxww==]

however the Attacker Address is still empty:

Any idea?

Volker

0 Likes
Reply
Report Inappropriate Content
Shaun
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-12-21 18:21

Jump to solution

I don't know how the data gets populated into deviceCustomIPv6Address1 (Your screenshot is cutoff so I'll assume 1)

Since we know the data is somehow in there, try using a map file:

map.0.properties

-------------------------

set.expr(deviceCustomIPv6Address1).event.sourceAddress

"__numberToAddress(__getIPv4AddressEmbeddedInIPv6Address(deviceCustomIPv6Address1))"

View solution in original post

0 Likes
Reply
Report Inappropriate Content
Volker Michels
Fleet Admiral Fleet Admiral
Fleet Admiral
‎2015-12-22 09:48

Jump to solution

Hello Shaun,

thanks a lot the worked perfectly.

It was deviceCustomIPv6Address2.

Volker

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.