Scott Register
VP, Product Management
Blog

Wield the Power of RegEx with New ATI Processor GUI

June 15, 2016 by Scott Register

We’ve just released a new feature, GUI-based RegEx matching, in Ixia’s ATI Processor (ATIP). Observant readers (you know who you are) will note that ATIP has always supported RegEx matching, but it was only available by writing a custom app. Now, we’ve made the process much easier; it’s all GUI-driven, no XML writing required. 

Would you like to find all DNS queries for a certain domain?  For everything in the .com top-level domain (TLD)?  Maybe you’d like to find out if someone sends out credit card numbers or when a certain user ID logs into your e-commerce site (yes, this works with SSL decryption as well). Maybe you just want to identify users in your company who use words like “synergize”, “Mobilegeddon”, or “hyperconvergence.”  Now, it’s almost trivially easy to do, and you never have to resort to a command line interface or edit an XML file. And thanks to the ATI Processor’s flexibility, you can do pretty much anything you want once you pinpoint your traffic—forward it to your external data capture or analytics tool, generate rich Netflow data, or even store it in a PCAP right on ATIP (thanks to our new integrated Packet Capture capability).

Here’s all it takes to create a filter using RegEx. First, launch the intuitive ATIP Web UI and click on New Filter.

RegEx1

You’ll see our recently redesigned filter panel, where you can narrow your search to specific geographies and applications. In this case, I’m going to search for traffic to and from Brazil.

RegEx2

Next, I’ll narrow down the apps I’m interested into specific email applications.

RegEx3

Now, I set up my Regular Expression (RegEx). The page has complete instructions and examples you can follow and modify from everything from DNS lookups to email addresses.

Let’s say I want to look for the words “dogfish” or “catfish”; my RegEx would look like this:

RegEx4

If I wanted to search for any email addresses in the ixiacom.com domain, with any combination of between 1 and 20 upper and lowercase letters before the @ I could specify:

RegEx5

And finally, if I wanted to find bad, baad, anything up to baaaaaaaaaad, I could search for:

regEx6

These are all simple examples, but you can easily extend these to do almost anything you want, and the onscreen instructions and examples will guide you through. Each filter can contain up to 5 RegEx expressions, so you can search for multiple independent strings in the same filter.

And what about encryption? By default, if SSL decryption is enabled, ATIP will decrypt all traffic that it can (see this blog for more details on our SSL decryption).  If you want to examine only traffic that was previously encrypted, you can select that checkbox.

Once you’ve found the traffic matching the search you are interested in, you can generate Netflow, forward it after performing data masking, or capture it and download it as a PCAP file. 

There’s a video demo of RegEx setup: