Re: [Simple-evcorr-users] Negation

Fri, 17 Mar 2017 08:48:47 -0700 

Thanks Todd...I had the regex101.com link up and trying to learn about 
lookahead/behind...it makes me head hurt.

James

On 2017-03-17 09:02, Todd M. Hall wrote:
> I've not verified if this works in SEC, but you could maybe do a 
> negative
> lookahead/behind
> 
> \.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org)
> 
> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
> 
> There may be a bit of a performance hit with using these though.  Give 
> them a
> try.
> 
> 
> On Thu, 16 Mar 2017, James Lay wrote:
> 
>> Date: Thu, 16 Mar 2017 17:42:25 -0500
>> From: James Lay <j...@slave-tothe-box.net>
>> To: Simple Event Corralator 
>> <simple-evcorr-users@lists.sourceforge.net>
>> Subject: [Simple-evcorr-users] Negation
>> 
>> Hey all,
>> 
>> So I'm trying to create a rule to match this pattern:
>> 
>> "\.php\?id=[0-9A-Za-z]{8}"
>> 
>> The caveat is that I can't match certain things like, for example
>> "\.net|\.org".  How do I create a regex with negation for SEC?  Thank
>> you.
>> 
>> James
>> 
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>> 
> 
> --
> Todd M. Hall
> Sr. Network Analyst
> Information Technology Services
> Mississippi State University
> t...@msstate.edu
> 662-325-9311 (phone)
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to