Search parameters
Search parameters define additional conditions and can be used with different actions.
Request type (REQ_TYPE)
Request type acts as a filter for transform actions. In non-transform actions with search parameters, request type provides a hint for where to search.
Request types available for actions with search parameters:
- LOGIN FAILED (LOGIN_FAILED)
- PREPARED STATEMENT (PREP_STAT)
- RPC (RPC)
- SQL (SQL)
- SQL ERROR (SQL_ERROR)
- SQL SUCCESS (SQL_SUCCESS)
Request types available for actions with transform parameters:
- LOGIN FAILED (LOGIN_FAILED)
- PREPARED STATEMENT (PREP_STAT)
- RPC (RPC)
- SQL (SQL)
- SQL ERROR (SQL_ERROR)
Note: In the SR language, write request types without quotation marks.
Search prefix (SEARCH_PREFIX)
Search prefix matches the defined pattern at the beginning of a value.
Use search prefix with or without request type for transform actions and for regular actions with
search parameters. Request type acts as a filter for transform actions. In non-transform
actions with search parameters, request type provides a hint for where to search.
Rule criteria used | ||||
Request type defined | Yes | No | Yes | No |
Search prefix defined | Yes | Yes | No | No |
Actions taken | ||||
Search with search prefix | Yes | Yes | No | No |
Search with request type | No | No | Yes | No |
Search in DB User (DB_USER) | No | No | No | Yes |
Example:
IGNORE_REQUEST REQ_TYPE = SQL SEARCH_PREFIX = 'GAT'
This matches
SQL requests with the prefix GAT.Example:
IGNORE_REQUEST REQ_TYPE = SQL_ERROR SEARCH_PREFIX = 'TNS-'
This
matches SQL errors with the prefix TNS-.Search pattern (SEARCH_PATTERN)
Search pattern matches the defined pattern in any part of the value.
Example:
IGNORE_REQUEST REQ_TYPE = SQL SEARCH_PREFIX = 'SELECT' SEARCH_PATTERN = 'FROM SCOTT.'
This
matches SELECT SQL requests that contain the pattern FROM SCOTT.Match pattern (MATCH_PATTERN)
Match pattern is similar to search pattern but uses regular expressions to match the defined pattern in any part of the value.
Example:
SELECT * FROM SCOTT.A WHERE SECRET = '1234'
MATCH_PATTERN = '^.*FROM (.*)\.A.*$'
OUTPUT_FORMAT = '\1'
This takes the first regular expression element in parenthesis and
writes it to the output format.Search offset (SEARCH_OFFSET)
Search offset works with search pattern and match pattern to cut the source string where the matched pattern is found. This can improve matching with regular expressions.
Example:
SELECT LAST_NAME FROM SCOTT.EMPLOYEES
TRANSFORM_STATEMENT SEARCH_PREFIX = 'SELECT' SEARCH_PATTERN = 'FROM SCOTT.' SEARCH_OFFSET MATCH_PATTERN = '^(.*)\.(.*)$' OUTPUT_FORMAT = '\1.\2'
This
finds the string defined by search pattern while search offset cuts off everything before it
allowing match pattern to work more efficiently.Checking criteria for actions in search parameters
The default is
DB_USER:guardium://empty
, meaning that SEARCH_PREFIX matches if
the value is empty. Other criteria can be checked:- ANALYZED_CLIENT_IP
- APP_USER_NAME
- AUTH_TYPE
- CLIENT_HOST_NAME
- CLIENT_IP
- CLIENT_OS_NAME
- COMMAND
- CTIMEZONE
- DB_NAME
- DB_USER
- DESCRIPTION
- ERROR
- OS_USER
- SERVER_DESCRIPTION
- SERVER_HOST_NAME
- SERVER_IP
- SERVER_OS_NAME
- SERVICE_NAME
- SOURCE_PROGRAM
- STATEMENT
Examples:
- Search prefix = DB_USER:NO_AUTH
- Search pattern = STATEMENT:SELECT%
- Match pattern = ERROR:%13%