Re: [Simple-evcorr-users] Negation

Fri, 17 Mar 2017 09:56:53 -0700 

Thanks...will give that a shot...as for the log line, here it 
is...spaces between are actually tabs (bro anyone ;))

1489675789.785756       CK7Ssz32GqWWIzfMXi      x.x.x.x    37876   
x.x.x.x  25      something.us    
bleh://something[.]us/something/something.php?id=7a6dfhysdf6

sanitized of the above.

James

On 2017-03-17 10:46, Todd M. Hall wrote:
> James,
> 
> The pattern would need to be a little different to work correctly.
> 
> The \S+ is breaking it.
> 
> This would be easier to see an actual log line, but try this...
> 
> \/\/[^\/ ]+(?!\.net|\.org)\/\S+.php\?id=[0-9A-Za-z]{8}
> 
> 
> On Fri, 17 Mar 2017, James Lay wrote:
> 
>> Date: Fri, 17 Mar 2017 11:13:05 -0500
>> From: James Lay <j...@slave-tothe-box.net>
>> To: simple-evcorr-users@lists.sourceforge.net
>> Subject: Re: [Simple-evcorr-users] Negation
>> 
>> So ok...using regex101.com it looks like org still matches...should I
>> just try and test using sec or does regex101.com mirror what sec would
>> do?  Example:
>> 
>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
>> 
>> 
>> bleh://something[.]org/something/something.php?id=sj98sdf7s978sdf
>> 
>> and this still matches, again, according to regex101.  Might have to
>> just give it a test.  Thanks again...VERY helpful!
>> 
>> James
>> 
>> On 2017-03-17 10:02, Todd M. Hall wrote:
>>> Let us know if it works or not so it'll be searchable for others 
>>> later.
>>> Performance won't likely be a problem unless you have a busy SEC
>>> process.
>>> 
>>> 
>>> On Fri, 17 Mar 2017, James Lay wrote:
>>> 
>>>> Date: Fri, 17 Mar 2017 10:47:00 -0500
>>>> From: James Lay <j...@slave-tothe-box.net>
>>>> To: simple-evcorr-users@lists.sourceforge.net
>>>> Subject: Re: [Simple-evcorr-users] Negation
>>>> 
>>>> Thanks Todd...I had the regex101.com link up and trying to learn 
>>>> about
>>>> lookahead/behind...it makes me head hurt.
>>>> 
>>>> James
>>>> 
>>>> On 2017-03-17 09:02, Todd M. Hall wrote:
>>>>> I've not verified if this works in SEC, but you could maybe do a
>>>>> negative
>>>>> lookahead/behind
>>>>> 
>>>>> \.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org)
>>>>> 
>>>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
>>>>> 
>>>>> There may be a bit of a performance hit with using these though.
>>>>> Give
>>>>> them a
>>>>> try.
>>>>> 
>>>>> 
>>>>> On Thu, 16 Mar 2017, James Lay wrote:
>>>>> 
>>>>>> Date: Thu, 16 Mar 2017 17:42:25 -0500
>>>>>> From: James Lay <j...@slave-tothe-box.net>
>>>>>> To: Simple Event Corralator
>>>>>> <simple-evcorr-users@lists.sourceforge.net>
>>>>>> Subject: [Simple-evcorr-users] Negation
>>>>>> 
>>>>>> Hey all,
>>>>>> 
>>>>>> So I'm trying to create a rule to match this pattern:
>>>>>> 
>>>>>> "\.php\?id=[0-9A-Za-z]{8}"
>>>>>> 
>>>>>> The caveat is that I can't match certain things like, for example
>>>>>> "\.net|\.org".  How do I create a regex with negation for SEC?
>>>>>> Thank
>>>>>> you.
>>>>>> 
>>>>>> James
>>>>>> 
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> Simple-evcorr-users mailing list
>>>>>> Simple-evcorr-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>>> 
>>>>> 
>>>>> --
>>>>> Todd M. Hall
>>>>> Sr. Network Analyst
>>>>> Information Technology Services
>>>>> Mississippi State University
>>>>> t...@msstate.edu
>>>>> 662-325-9311 (phone)
>>>>> 
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Simple-evcorr-users mailing list
>>>>> Simple-evcorr-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>> 
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Simple-evcorr-users mailing list
>>>> Simple-evcorr-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>> 
>>> 
>>> --
>>> Todd M. Hall
>>> Sr. Network Analyst
>>> Information Technology Services
>>> Mississippi State University
>>> t...@msstate.edu
>>> 662-325-9311 (phone)
>>> 
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>> 
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>> 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to