On 2017-03-16 17:44, John P. Rouillard wrote:
> In message <d4369eeb41a9b78afcdbb5a5535b3020@localhost>,
> James Lay writes:
>> So I'm trying to create a rule to match this pattern:
>>
>> "\.php\?id=[0-9A-Za-z]{8}"
>>
>> The caveat is that I can't match certain things like, for example
>> "\.net|\.org". How do I create a regex with negation for SEC? Thank
>> you.
>
> If I understand you correctly, you want to use the following sequence
> of rules:
>
> type = single
> comment = rule 1
> ptype = regexp
> pattern = \.net|\.org
> action = logonly
>
> type = single
> comment = rule 2
> ptype = regexp
> pattern = \.php\?id=[0-9A-Za-z]{8}
> [...]
> action = do something.
>
> Rule 1 will match what you want to exclude. By default a matching rule
> stops processing for the event.
>
> So this sequence will prevent any event matching .net or .org from
> being seen by rule 2.
>
> I assume you will want https?://[^/]+(\.net|\.org)/ or something to
> constrain where .org or .net show up in rule 1.
>
> Also there is a way to trigger a rule if a regexp does not
> match. Look for pattern type (ptype) nregexp in the man page.
> I don't think that's what you want for your use case but...
>
> Hope this helps.
>
> --
> -- rouilj
> John Rouillard
Thanks John that's helpful. As I understand it, the rule 1 above would
actually apply to my entire sec.conf yes? Truth be told that's always
been a challenge for me...adding a negation (of sorts) usually applies
to the entire sec.conf file. I wish there was a way to create a....I
dunno.."self contained" rule or set of rules that would only apply to
that rule or set of rules. Unless I'm missing something....which is
usually more than likely. Thanks again..I'll continue digging and apply
some of what you've posted.
James
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
