• Support
  • Forums
  • Blogs
A New Community Experience is Coming! For more information, please see our announcement.

USERDATA fields for specific purpose.

nnectornnector

Inside the USERDATA's fielda can be any sort of data. My question is how can I find a string of data out of the  field?

In USERDATA1 there is a URL that comes into my OSSIM. I want to be able to pick out a x-number of letters that appear together in the URL. An example of what I am looking to do is:

This is a made up URL:

userdata1=http://alienvault.system/word/directive.php/etra/3245/sdfh32

What I want to do it make a directive that grabs out ".php"?

My question is, how do I write the directive that grabs out that string of data? I know I need to put something in the directive userdata field when I create it, I just do not know what to put in that field. The only data I have been able to enter in and have work is the exact userdata entry that comes in from the log.

Any insight?

Thx


Share post:

Answers

  • I guess you have to edit the plugins .cfg regex to put that extension bit in a separate field (userdataX). Then when you create a new directive in the "more" menu filter all the .php out. One thing you cant do for sure is use any swithes or tags in the "more" fields themselves (at least up to USM 4.9)
  • I guess you have to edit the plugins .cfg regex to put that extension bit in a separate field (userdataX). Then when you create a new directive in the "more" menu filter all the .php out. One thing you cant do for sure is use any swithes or tags in the "more" fields themselves (at least up to USM 4.9)
  • what does each of the userdata fileds represent?

Sign In or Register to comment.