This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

<<< in rhlinux message file - what's up with that?

AntoniGrzymala
Beginner
Beginner

‎2017-07-27 04:59 AM

Hi,

 

I was recently looking through v20_rhlinuxmsg.xml on our decoder and discovered something interesting. In the most recent version from Live there is a following message definition:

 

<MESSAGE
id1="003414"
[...]
content="&lt;agent&gt;: pam_vas: Authentication &lt;&lt;&lt;result&gt;&gt; for &lt;&lt;&lt;event_type&gt;&gt; user: &lt;&lt;&lt;username&gt;&gt; account: &lt;&lt;&lt;c_username&gt;&gt
; service: &lt;&lt;&lt;service&gt;&gt; reason: &lt;fld1&gt; Access Control Identifier(NT Name):&lt;&lt;&lt;user_address&gt;&gt;" />

 

Please take note of the 'content' attribute value which contains the following string (after removing XML entity encoding):

 

<agent>: pam_vas: Authentication <<<result>> for <<<event_type>> user: <<<username>> account: <<<c_username>> service: <<<service>> reason: <fld1> Access Control Identifier(NT Name):<<<user_address>>

 

What's up with the triple '<' characters? This doesn't look like proper parser message syntax to me at all. Does anyone know what is it? Is it some different type of field? A bug in the XML?

 

The parser loads and works OK with these "broken" field definitions.

 

--

mg

0 Likes
0 REPLIES 0
© 2022 RSA Security LLC or its affiliates. All rights reserved.