Rules and expressions

This section deals with a discussion of correlation rules and expressions, presented in the next several sections. The BMC Defender Server system provides a valuable tool that assists in understanding the behavior of these expressions.

Related topics

Key-concepts

Expression-Evaluation-Tool

  1. To use the Expression Eval Tool, select More > Expr Tool from the hyperlink menu at the upper-right corner of the page. The following screen is displayed:
    exprEvalTool.png

    This tool has two text input windows:

    • The Match Expression window accepts a correlation pattern.
    • The Target String window accepts a target string that is the particular message that you test the match expression against
      The Target String field has a maximum length of 1000 characters.

  2. To test the expression, enter a match expression, a target string and then click Submit to test the expression.

    The result of the expression evaluation is displayed at the bottom of the screen. The result is that either the Expression Matches or the Expression Does Not Match.

    At the bottom of the screen, the Expanded Match Expression value is displayed (including any global variable and macro substitution, as discussed further) and also the Normalized Target String (with all letters down cased and multiple blanks squeezed out of the message).

    The Expanded Match Expression is particularly useful in learning the behavior of global variables and macros, as the Expression Eval Tool shows the final actual match expression, with any macro and global variable names replaced by their actual values.

    You can use this tool to quickly test the BMC Defender Server Match Expression capabilities and learn the general behavior of BMC Defender Server correlation functions.


Best practice
Examine this tool and the way it works before you start examining the Simple-match-expressions and Advanced-expressions sections.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*