Thanks a bunch Risto..that totally worked. As for the Suppress
rule..that really does sound like the easiest way to go...my challenge
at the time was that my logonly impacted my entire configuration. Is
there a link I can read that will show me how to do a per rule suppress?
And the breakdown of the full expression was REALLY helpful...thanks
again so much for all your great work as well Risto...I can't imagine
running a box without sec on it.
James
On 2017-03-17 11:23, Risto Vaarandi wrote:
> hi Todd and James,
>
> if I may, maybe I can adjust the previous expression just a little a
> bit:
>
> \/\/([^\/.]+\.)*(?!net\/|org\/)[^\/.]+\/\S+\.php\?id=[0-9A-Za-z]{8}
>
> Maybe I can also explain some key components:
>
> \/\/ -- match two slashes
> [^\/.]+ -- match a sequence of characters which are neither slashes
> nor dots (used to match one part from a multipart name, e.g. "example"
> from "www.example.com")
> ([^\/.]+\.)* -- match all name parts that precede the last part (e.g.,
> "www.example." from "www.example.com")
> (?!net\/|org\/) -- make sure the last name part if neither "net" nor
> "org" with a separating slash
> [^\/.]+\/ -- match the last name part with a separating slash (if your
> top-level domains are known to contain letters only, you can rewrite
> this construct as [A-Za-z]+\/ for the sake of readability)
>
> I have only done couple of tests with the above expression and
> hopefully there are no mistakes in it :-)
>
> But if you want to keep things as simple as possible, maybe you can
> follow John's advise and employ a filtering rule before the main rule
> (sec has a special rule type Suppress for such filtering tasks).
>
> There is yet another alternative -- if you want to split the above
> complex regular expression into two expressions which are joined with
> "(NOT regex1) AND regex2", you can take advantage of the PerlFunc
> pattern.
>
> Hope this helps,
> risto
>
>
> 2017-03-17 18:46 GMT+02:00 Todd M. Hall <t...@msstate.edu>:
>> James,
>>
>> The pattern would need to be a little different to work correctly.
>>
>> The \S+ is breaking it.
>>
>> This would be easier to see an actual log line, but try this...
>>
>> \/\/[^\/ ]+(?!\.net|\.org)\/\S+.php\?id=[0-9A-Za-z]{8}
>>
>>
>> On Fri, 17 Mar 2017, James Lay wrote:
>>
>>> Date: Fri, 17 Mar 2017 11:13:05 -0500
>>> From: James Lay <j...@slave-tothe-box.net>
>>> To: simple-evcorr-users@lists.sourceforge.net
>>> Subject: Re: [Simple-evcorr-users] Negation
>>>
>>> So ok...using regex101.com it looks like org still matches...should I
>>> just try and test using sec or does regex101.com mirror what sec
>>> would
>>> do? Example:
>>>
>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
>>>
>>>
>>> bleh://something[.]org/something/something.php?id=sj98sdf7s978sdf
>>>
>>> and this still matches, again, according to regex101. Might have to
>>> just give it a test. Thanks again...VERY helpful!
>>>
>>> James
>>>
>>> On 2017-03-17 10:02, Todd M. Hall wrote:
>>>> Let us know if it works or not so it'll be searchable for others
>>>> later.
>>>> Performance won't likely be a problem unless you have a busy SEC
>>>> process.
>>>>
>>>>
>>>> On Fri, 17 Mar 2017, James Lay wrote:
>>>>
>>>>> Date: Fri, 17 Mar 2017 10:47:00 -0500
>>>>> From: James Lay <j...@slave-tothe-box.net>
>>>>> To: simple-evcorr-users@lists.sourceforge.net
>>>>> Subject: Re: [Simple-evcorr-users] Negation
>>>>>
>>>>> Thanks Todd...I had the regex101.com link up and trying to learn
>>>>> about
>>>>> lookahead/behind...it makes me head hurt.
>>>>>
>>>>> James
>>>>>
>>>>> On 2017-03-17 09:02, Todd M. Hall wrote:
>>>>>> I've not verified if this works in SEC, but you could maybe do a
>>>>>> negative
>>>>>> lookahead/behind
>>>>>>
>>>>>> \.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org)
>>>>>>
>>>>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
>>>>>>
>>>>>> There may be a bit of a performance hit with using these though.
>>>>>> Give
>>>>>> them a
>>>>>> try.
>>>>>>
>>>>>>
>>>>>> On Thu, 16 Mar 2017, James Lay wrote:
>>>>>>
>>>>>>> Date: Thu, 16 Mar 2017 17:42:25 -0500
>>>>>>> From: James Lay <j...@slave-tothe-box.net>
>>>>>>> To: Simple Event Corralator
>>>>>>> <simple-evcorr-users@lists.sourceforge.net>
>>>>>>> Subject: [Simple-evcorr-users] Negation
>>>>>>>
>>>>>>> Hey all,
>>>>>>>
>>>>>>> So I'm trying to create a rule to match this pattern:
>>>>>>>
>>>>>>> "\.php\?id=[0-9A-Za-z]{8}"
>>>>>>>
>>>>>>> The caveat is that I can't match certain things like, for example
>>>>>>> "\.net|\.org". How do I create a regex with negation for SEC?
>>>>>>> Thank
>>>>>>> you.
>>>>>>>
>>>>>>> James
>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>>> _______________________________________________
>>>>>>> Simple-evcorr-users mailing list
>>>>>>> Simple-evcorr-users@lists.sourceforge.net
>>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>>>>
>>>>>>
>>>>>> --
>>>>>> Todd M. Hall
>>>>>> Sr. Network Analyst
>>>>>> Information Technology Services
>>>>>> Mississippi State University
>>>>>> t...@msstate.edu
>>>>>> 662-325-9311 (phone)
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> Simple-evcorr-users mailing list
>>>>>> Simple-evcorr-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Simple-evcorr-users mailing list
>>>>> Simple-evcorr-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>>
>>>>
>>>> --
>>>> Todd M. Hall
>>>> Sr. Network Analyst
>>>> Information Technology Services
>>>> Mississippi State University
>>>> t...@msstate.edu
>>>> 662-325-9311 (phone)
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Simple-evcorr-users mailing list
>>>> Simple-evcorr-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>
>> --
>> Todd M. Hall
>> Sr. Network Analyst
>> Information Technology Services
>> Mississippi State University
>> t...@msstate.edu
>> 662-325-9311 (phone)
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
