20 Nov 17:43:1 10 28 2010 02:18:33: date=2010-10-28 time=00:27:54 log_id=2 type=ips subtype=signature pri=alert fwver=040002 severity=medium carrier_ep="N/A" profile="IPS" src=X.X.X.X dst=X.X.X.X src_int="wan1" dst_int="internal" policyid=2 status=detected proto=17 service=1434/udp vd="root" count=1 src_port=111 dst_port=80 attack_id=10328 sensor="IPS_sensor" ref="http://www.fortinet.com/ids/VID10328" user="N/A" group="N/A" incident_serialno=2004954881 msg="database: MS.SQL.Server.Resolution.Service.Stack.Overflow"

##</code><code>##

  DB<10> $msg = q(some_fields msg="http_decoder: HTTP.Unknown.Tunnelling" some_fields)

  DB<11> x $ msg
0  'some_fields msg="http_decoder: HTTP.Unknown.Tunnelling" some_fields'
  DB<12> x $msg =~/msg=\"(.*?)\"/         
0  'http_decoder: HTTP.Unknown.Tunnelling'

  DB<13> x $msg =~ /msg=\"+((?:([^:,]+):\s|)([^,]+?)\s*(?:\s*,.*?|))\"+/
0  'http_decoder: HTTP.Unknown.Tunnelling'
1  'http_decoder'
2  'HTTP.Unknown.Tunnelling'