aaron.wayne@hpe1 Absent Member.
Absent Member.
189 views

payload in a field + perl programming

my payload is in deviceCustomString1 so sample code is as such.  the problem i am having is the machine code or text squares utf-8 or whatever you want to call it is not allowing the payload to print to an output text file which is my goal

#!/usr/bin/perl

my $deviceCustomString1 = $ARGV[0];

my ($payload) = $deviceCustomString1 =~ s/[^[:print:]]+//g;

print $payload;

This is programming for a tool that i am working on the logic above should parse out any junk characters and print the resulting ascii payload that is parsed to that field

thanks to anyone that can help not sure why this is not working

Labels (1)
0 Likes
Reply
3 Replies
Vini Acclaimed Contributor.
Acclaimed Contributor.

Re: payload in a field + perl programming

Are you simply trying to put the payload data contained in the event into an integration command so you can output it in a legible form?

0 Likes
Reply
aaron.wayne@hpe1 Absent Member.
Absent Member.

Re: payload in a field + perl programming

I am trying to print the field to a text document but only print the printable characters.  If you try to outright print $deviceCustomString1 then it does not work and I believe it is because the field contains non printable characters or i like to call them text blocks, lol bc that is what they look like

I was reading something about telling perl that your dealing with a utf-8 variable or something then working iwth it that way not really sure this one has me stumped

0 Likes
Reply
Highlighted
aaron.wayne@hpe1 Absent Member.
Absent Member.

Re: payload in a field + perl programming

yep and a few years later still have not figured this out you can copy and paste the nonprintable field text into a field that is writable within the arcsight console but no luck parsing the entire field out.

I am currently trying in python and anytime a feed has payload going to a field and you try to extract e.g. the get request no matter what regex you throw at it you cannot parse the field in its entirety.  It seems the good ol black diamond question mark non ascii chars are the issue bc when i parse i can get only the first two ascii characters pulled out then as soon as I hit the first black diamond with a number 9 non printable its almost like arcsight says stop it you can parse no further even if you parse matching that specific unicode

pretty annoying if anyone has found a solution on this please respond

0 Likes
Reply
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.