validate-prm-regex

The /opt/lce/tools/validate-PRM-regex utility uses the same pattern matching library and parameters as the Log Correlation Engine engine. Tenable recommends using this tool to test your plugins.

validate-PRM-regex takes two arguments:

<PRM_reg.ex._line> <sample_log>

Note: As the regex argument, validate-PRM-regex accepts either an entire directive line (i.e. regex=regexExpression or regexi=regexExpression) exactly as it would appear in a .prm file; or just the regexExpression. In the latter case, it behaves as if regexExpression were prefixed by regex=.

Note: While you can and should feed validate-PRM-regex complete sample logs for final testing, log fragments are fine when developing.

Note: Enclose each argument in single quotes to protect from shell interpretation.

Example Output

Log Matched, Extracted 1 or More Substrings

validate-PRM-regex 'DstPort (\d{1,5}) ' 'with DstPort 55555 %'

Log Matched, No Substrings Extracted

validate-PRM-regex 'DstPort \d{1,5} ' 'with DstPort 55555 %'

Tip: Enclose the subpattern you want to extract in parentheses to make it a capturing subpattern.

Log Not Matched

validate-PRM-regex 'DstPort (\d{1,5}) ' 'with DstPort % 55555'

Invalid Regex

validate-PRM-regex 'DstPort (\d{1,5} ' 'with DstPort 55555 %'

Tip: The error message printed above may help to figure out what is wrong with the regex. In this example, exactly as the error message says, the closing delimiter ) was missing.