Troubleshooting
Problem
IBM Security Guardium® appliances which were patched from version 10.1.0/10.1.2 to 11.x can display "Invalid regex pattern in the 'Could not find value for:..." alert prompt during the regular expression evaluation in the security policy.
Symptom
During policy building OR modification, as a user attempts to edit the SQL Criteria in the Rule Criteria and tests the regular expression:
The content as shown here is displayed in the alert prompt while regular expression evaluation is attempted:
Invalid regex pattern in the 'Could not find value for: 'Data
pattern' in: 'com.guardium.portal.admin.ApplicationResources'.'
field of the rule 'Name of the rule in policy'.
Cause
The sniffer component on the IBM Security Guardium® Collector presently supports 3 RegEx engines:
POSIX
PCRE
GNU
In all the IBM Security Guardium® V10.1.2 and prior versions the default RegEx engine used to be POSIX out of the then available two options: POSIX and GNU.
For performance improvement, starting IBM Security Guardium® Version 10.1.3 the default RegEx engine for the Sniffer's analyzing function was set to "PCRE".
At the same time the Sniffer's logging function until Guardium® Version 10.5 could support only the POSIX regex libraries.
If some regex data pattern needs to be analyzed using POSIX library and the appliance has PCRE RegEx engine set, it will cause a problem in analysis and will result in error.
This is because the POSIX collating elements in a given regex data pattern might not be supported by the PCRE regex library.
Environment
This knowledge article applies to IBM Security Guardium® Collector appliances that have the Sniffer (inspection-core) functionality is active.
Diagnosing The Problem
When the IBM Security Guardium® appliances V10.1.2 (and older versions) were upgraded, the same value of regular expression evaluation engine POSIX is carried forward on the newer appliance version.
In case the given pattern for comparison is supported by POSIX RegEx engine and the sniffer is using PCRE RegEx engine for analysis, the pattern matching gives an error if the elements in the given pattern are not supported.
The following is an example of POSIX RegEx pattern with collating elements and it's equivalent PCRE RegEx pattern:
The following is the POSIX Regex pattern to match a PCI_TRACK_DATA. (PCI = Payment Card Industry)
| %B[0-9]{15,19}[A-Za-z0-9. ][[./.]][A-Za-z0-9. ][0-9]?[0-9]?|\;[0-9]{15,19}=[0-9]?[0-9]? |
which has a collating elements in the pattern (highlighted) which is not supported by PCRE regex library.
The pattern can be written in PCRE with the as (modification highlighted):
| %B[0-9]{15,19}[A-Za-z0-9. ]\/[A-Za-z0-9. ][0-9]?[0-9]?|\;[0-9]{15,19}=[0-9]?[0-9]? |
Resolving The Problem
On the "cli" command prompt, the available options for commands containing the word regex can be seen by executing "commands regex":
With the available cli command "store analyzer regex ?" the regex engine can be modified:
Implementation steps for modifying the analyzer regex on the cli of collector appliance:
1. store analyzer_regex <posix / pcre / gnu>
2. restart inspection-core
3. restart gui
1. store analyzer_regex <posix / pcre / gnu>
2. restart inspection-core
3. restart gui
Commands for restarting the inspection-core and the gui are mandatory to make sure the changes take effect.
Once this is done, the pattern matching can be tested in the concerned policy rule criteria:
| NOTE : When Managed Units (Collectors) are large in number instead of manual effort of modifying the analyzer_regex on every collector, please open a support request to get an adhoc patch that can do the modification. |
Document Location
Worldwide
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSMPHH","label":"IBM Security Guardium"},"ARM Category":[{"code":"a8m0z000000Gp0OAAS","label":"POLICY"}],"ARM Case Number":"TS003718033","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Historical Number
TS003718033; GRD-41808
Was this topic helpful?
Document Information
Modified date:
06 August 2020
UID
ibm16254814