Hey we want to replace the value not the field, currently the values in "service" with an actual number are parsed as "dest_port" while values in "service" that are resolved as words are not included. Instead of the word of the service, we want insert value of the port number in the logs. So is that possible by changing the syntax in the props.conf.
Syntax available in Props.conf for opsec
FIELDALIAS-dest_for_opsec = dst as dest, dst as dest_ip
FIELDALIAS-src_for_opsec = src as src_ip
FIELDALIAS-direction_for_opsec = i_f_dir as direction
FIELDALIAS-dvc_for_opsec = orig as dvc
FIELDALIAS-event_id_for_opsec = loc as event_id
FIELDALIAS-vendor_product = product as vendor_product
FIELDALIAS-vendor_action = action as vendor_action
FIELDALIAS-dest_interface = outbound_interface as dest_interface
FIELDALIAS-src_interface = inbound_interface as src_interface
FIELDALIAS-icmp_code = ICMP as icmp_code
FIELDALIAS-icmp_type = ICMP_Type as icmp_type
FIELDALIAS-packets_in = client_inbound_packets as packets_in
FIELDALIAS-packets_out = client_outbound_packets as packets_out
FIELDALIAS-src_zone = inzone as src_zone
FIELDALIAS-dest_zone = outzone as dest_zone
EVAL-dvc_ip = if(match(orig,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"), orig, null)
EVAL-rule = case(isnull(rule),policy_name,(not isnum(rule)),rule,isnotnull(policy_name),policy_name,1==1,null)
EVAL-rule_id = if(isnum(rule),rule,null)
EVAL-src_port = if(isnum(s_port),s_port,null)
EVAL-src_svc = if(isnum(s_port),null,s_port)
EVAL-dest_port = if(isnum(service),service,null)
EVAL-dest_svc = if(isnum(service),null,service)
EVAL-transport = case(lower(proto)=="tcp","tcp",lower(proto)=="udp","udp",lower(proto)=="icmp","icmp",1==1,null)
EVAL-received_bytes = if (received_bytes < 0, 2147483647, received_bytes)
EVAL-sent_bytes = if(sent_bytes < 0, 2147483647, sent_bytes)
EVAL-bytes_in = if (received_bytes < 0, 2147483647, received_bytes)
EVAL-bytes_out = if(sent_bytes < 0, 2147483647, sent_bytes)
EVAL-bytes = if(bytes < 0, 2147483647, bytes)
EVAL-client_inbound_bytes = if(client_inbound_bytes < 0, 2147483647, client_inbound_bytes)
EVAL-client_outbound_bytes = if(client_outbound_bytes < 0, 2147483647,client_outbound_bytes)
EVAL-server_inbound_bytes = if(server_inbound_bytes < 0, 2147483647, server_inbound_bytes)
EVAL-server_outbound_bytes = if(server_outbound_bytes < 0, 2147483647,server_outbound_bytes)
Note: Only partial syntax is pasted in the comment.
... View more