Highlighted
John.Ireland1 Trusted Contributor.
Trusted Contributor.
264 views

WiNC "Denial Of Service" message generated from EMET log

My WiNC connector is periodically generating a built-in "Denial of service event filtering triggered" event when it processes some microsoft EMET:50 messages. The DOS message complains that the "Field [rawEvent] truncated to ["System":EventId":"50",Version":"","Channel":"Application","ProviderName":"EMET",......

The original EMET message is lost and replaced by the ArcSight DOS message. But I want to retain (a truncated version) of the original message instead.

I am struggling to work out how to generate a parser override that truncates the oversized rawEvent field using conditional mappings, e.g what I want is an expression that subsitiutes the rawEvent field in the event with a truncated version. I have tried many things but it seems that the right-hand-side of any expression is not processed if it is from the event itself.. E.g to truncate to 100 characters:

conditionalmap.count=1

conditionalmap.field=event.externalId

conditionalmap[0].mappings.count=2

conditionalmap[0].mappings[0].values=50

conditionalmap[0].mappings[0].event.rawEvent=__regexToken(event.rawEvent,"^[\s\S]{0,100}"}

or

conditionalmap[0].mappings[0].event.rawEvent=__regexToken(%1,"^[\s\S]{0,100}"}

Please can someone advise how this can be achieved?

0 Likes
2 Replies
Acclaimed Contributor.. Shaun Acclaimed Contributor..
Acclaimed Contributor..

Re: WiNC "Denial Of Service" message generated fro

Are you sure your original message is getting dropped?  The DOS protector usually generates an internal event which is really just complaining about the field being too long and that its being truncated.

0 Likes
John.Ireland1 Trusted Contributor.
Trusted Contributor.

Re: WiNC "Denial Of Service" message generated fro

Hi Shaun, I can find no evidence of the original message unless it has a different 'name' to the successful EMET mesasges!

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.