Title: Message
Ah, the easy
answer is that grep is not the way. You want something a little higher up
on the food chain, awk.
gawk "$4 == 2"
netflow.txt
or the identical
but clearer:
gawk "$4 == 2
{print $0}" netflow.txt
will parse the
file called netflow.txt and only output thethe
Title: Message
Hi,
I'm trying to detect
mails weight = 15 that did NOT fail "Sniffer".
I
have:
Global.cfg:
SNIFFER
external nonzero "D:\IMAIL\Sniffer\Win32\.exe
?"40SNIFFER-SNAKEexternal
052"D:\IMAIL\Sniffer\Win32\.exe
?"10SNIFFER-SCAMS external
Andy,
That's not how MINWEIGHT works. MINWEIGHT is used for a filter so that
it doesn't subtract any more than the value that you give it, generally
a negative number unless you get fancy and apply scoring tests first.
The only way to do this currently would be to create an external test
to
I'm trying to detect mails weight = 15 that did NOT fail Sniffer.
In NOTSNIFFEDfilter.txt
MINWEIGHT 15
TESTSFAILED END CONTAINS SNIFFER
REMOTEIP 0 CONTAINS .
The problem here is that the MINWEIGHT option in a filter determines a
minimum weight at which filter processing will stop. This is a
Title: Message
fgrep "Total weight = " dec0531.log |
fgrep -v "SNIFFER" | gawk "$NF =20"
result.txt
sample
contents of result.txt:
05/31/2004
00:01:44 Qd84b1ec600561d03 IPNOTINMX:2 HELOBOGUS:6 MAILFROM:9 REVDNS:4
CMDSPACE:5 COUNTRY:10 DSBL:6 SPAMCOP:3 SPAMCOP-DYNA:7 FIVETENSRC:2
Title: Message
Hi
Matt:
Uh - I
see. We would need a "SKIPIFWEIGHTLESS" option.
Scott?
But -
I still don't understand why I don't see lots of entries for "NOTSNIFFed".
If anything, now I should see lots of legitimate mail "match" that
test?
Best
RegardsAndy SchmidtHM Systems Software,
I believe that MINWEIGHT 15 always exits the filter since it starts
with a score of zero.
If Andrew's suggestion doesn't work for your purposes, there's likely a
kludge that can be written with multiple filter files that can do this.
Matt
Andy Schmidt wrote:
Message
Hi Matt:
Title: Message
Hi
Andrew,
cool. Unfortunately, my goal was to route the messages not just
"count".
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
I'm just curious...
Wouldn't the following work for the intended purpose (in this case)...
NOTSNIFFED external 0 . ...
Specifically - an external test that fails on a zero result should
work right Scott?
_M
On Monday, May 31, 2004, 7:01:50 PM, Matt wrote:
M I believe that MINWEIGHT 15
I think I found a solution.
Global.cfg:
SNIFFER externalnonzero D:\IMAIL\Sniffer\Win32\.EXE
4 0
SNIFFER-SNAKE external052 D:\IMAIL\Sniffer\Win32\.EXE
1 0
SNIFFER-SCAMS external053
That's the way to do it :)
Matt
Andy Schmidt wrote:
I think I found a solution.
Global.cfg:
SNIFFER externalnonzero D:\IMAIL\Sniffer\Win32\.EXE
4 0
SNIFFER-SNAKE external052 D:\IMAIL\Sniffer\Win32\.EXE
1
That's the way to do it
Nope - it was a failure. The WEIGHTRANGE doesn't get processed by Declude
until the end. So when the FITLER is running, the WEIGHTRANGE hasn't been
set yet - apparently.
So, Scott... We're back to needing SKIPIFWEIGHTLESS!
Best Regards
Andy Schmidt
Phone: +1 201
Andy,
I'm a big proponent of a skip if less than or more than setup, however
I would like to see this in the Global.cfg so that the filter files
don't even need to be opened and read if the proper weights have been
tripped, thus saving a bunch of processing. This could be done with
two
Title: Message
Thank's Matt - smart work-around. I incorporated the key concept
and it seems to work!
Best
RegardsAndy SchmidtPhone: +1 201 934-3414 x20
(Business)Fax: +1 201 934-9206
-Original Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of
14 matches
Mail list logo
