You are here: Home > CLI Commands > Just_CLI_Topics > esi parser rule

esi parser rule

esi parser rule <rule_name>

condition <string>

domain <word>

enable

match {ipaddr <string>|mac <string>|user <string>}

no

position <1-32>

set {blacklist|role <word>}

test {msg <syslog>|file <filename>}

Description

This command creates or changes an ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. syslog parser rule.

Syntax

Parameter

Description

Range

Default

<rule-name>

Name of the ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance.  parser rule.

condition <string>

Specifies the REGEXRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern. (regular expression) pattern that uniquely identifies the syslog.

domain <word>

(Optional) Specifies the ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. syslog parser domain to which this rule applies. If not specified, the rule matches with all configured ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. servers.

enables

Enables this rule.

Note: The condition, user match, and set action parameters must be configured before the rule can be enabled.

Disabled

match

Specifies the user identifier to match, where ipaddr, mac, and user take a REGEXRegular Expression. Regex refers to a sequence of symbols and characters defining a search pattern. pattern that uniquely identifies the user.

ipaddr <string>

Matches using the client IP address.

mac <string>

Matches using the client MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network.  address.

user <string>

Matches using the client user name.

no

Negates any configured parameter.

position

Specifies the rule’s priority position.

1–32; 1 highest

set

Specifies the action to take.

Note: The role entity should be configured before it is accepted by the ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. rule.

blacklist

Blacklists the user.

role <word>

Changes the user role.

test

Tests the regular expression output configured in the esi parser rules command.

msg <syslog>

Tests the rule against a syslog message.

file <filename>

Tests the rule against a syslog file.

Usage Guidelines

The user creates an ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. rule by using characters and special operators to specify a pattern that uniquely identifies a syslog message. This “condition” defines the type of message and the ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. domain to which this message pertains. The rule contains three major fields:

Condition: The pattern that uniquely identifies the syslog message type.

User: The username identifier. It can be in the form of a name, MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address, or IP address.

Action: The action to take when a rule match occurs.

Once a condition match occurs, no further rule-matching will be made. For the matching rule, only one action can be defined.

For more details on the character-matching operators, repetition operators, and expression anchors used to defined the search or match target, refer toExternal Services Interface.

Use the show esi parser rules command to show ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. parser rule information. Use the show esi parser stats command to show ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. parser rule statistical information

Examples

The following command sets up the Fortigate virus rule named “forti_rule.” This rule parses the virus detection syslog scanning for a condition match on the log_id value (log_id=) and a match on the IP address (src=).

(host) [md] (config) #esi parser rule forti_rule

condition “log_id=[0-9]{10}[ ]”

match ipaddr “src=(.*)[ ]”

set blacklist

domain fortinet

enable

In this example, the corresponding ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance. expression is:

< Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >

The following example of the test command tests a rule against a specified single syslog message:

(host) [md] (config) #esi parser rule test msg "26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4"

 

< 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >

=====

Condition:     Matched with rule "forti_rule"

User:          ipaddr = 1.2.3.4

=====

The following example of the test command tests a rule against a file named test.log, which contains several syslog messages:

(host) [md] (config) #esi parser rule test file test.log

 

 < Sep 26 18:30:02 log_id=0100030101 type=virus subtype=infected src=1.2.3.4 >

==========

Condition:      Matched with rule "forti_rule"

User:           ipaddr = 1.2.3.4

==========

 

 < Oct 18 10:43:40  cli[627]: PAPI_Send: To: 7f000001:8372 Type:0x4 Timed out. >

==========

Condition:      No matching rule condition found

==========

 

 < Oct 18 10:05:32  mobileip[499]: <500300> <DBUG> |mobileip|  Station 00:40:96:a6:a1:a4, 10.0.100.103: DHCP FSM received event: RECEIVE_BOOTP_REPLY current: PROXY_DHCP_NO_PROXY, next: PROXY_DHCP_NO_PROXY >

==========

Condition:      No matching rule condition found

==========

Related Commands

Command

Description

show esi parser

Displays configuration information for the ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance.  parser rules.

show esi parser

Displays statistics information for the ESIExternal Services Interface. ESI provides an open interface for integrating security solutions that solve interior network problems such as viruses, worms, spyware, and corporate compliance.  parser rules.

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platform

License

Command Mode

All platforms

Requires the PEFNGPolicy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license.

Config mode on Mobility Master.

/*]]>*/