Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Getting a "constant" value into a custom parser

Hello,

I have written several custom parsers, all of which extract source/dest IP and port from raw messages. They're all working fine in that respect.

What I need is for the MARS to also parse out the "protocol" value, which isn't present in the messages as they apply exclusively to TCP traffic. Can I have the MARS match on some arbitrary string and put a constant into the "protocol" field, rather than attempt to parse it out from the raw message?

many thanks,

alec

1 REPLY
Silver

Re: Getting a "constant" value into a custom parser

The Parsed Field is one of fields of a MARS event that has been fully parsed.

Custom Parser: Patterns not displayed in the correct order it is bug.

http://www.cisco.com/en/US/docs/security/security_management/cs-mars/4.2/user/guide/local_controller/cfgcustm.pdf

169
Views
0
Helpful
1
Replies