Thomas, > If you restart assp with this bad regex (in a file) - assp will not be > able to ignore changes - and will show this in the stats.
The bad regex was in the bombheaderre.txt file for at least two days. What I did not mention is that I have my ASSP config set to restart after midnight. Anyway, I duplicated the bad regex; saved it; and restarted ASSP via services control panel. After restart, the REGEX Status was "no failed regular expressions". However, bombheaderre failed to load. Below is a log snippet of ASSP trying twice to load bombheaderre: 11-Oct-01 03:22:29 [startup] Error: weighted regex for bombHeaderRe is invalid 'Hundred.?Day)~.?Loan=>100' - Unmatched ) in regex; marked by <-- HERE in m/Hundred.?Day) <-- HERE ~.?Loan/ at C:\ASSP\assp.pl line 36924. 11-Oct-01 03:22:29 [startup] Warning: value for bombHeaderRe was not changed - all changes are ignored 11-Oct-01 03:22:29 [startup] Info: try to use unoptimized regex bombHeaderRe 11-Oct-01 03:22:32 [startup] Error: weighted regex for bombHeaderRe is invalid 'Hundred.?Day)~.?Loan=>100' - Unmatched ) in regex; marked by <-- HERE in m/Hundred.?Day) <-- HERE ~.?Loan/ at C:\ASSP\assp.pl line 36924. 11-Oct-01 03:22:32 [startup] Warning: value for bombHeaderRe was not changed - all changes are ignored The complete bad regex was: From: ?"?One.?(?:Hour|Hundred.?Day)~.?Loan=>100 Two errors: unmatched tilde and "=>100" in incorrect location, should have been after the tilde. Also, all of the spam I was previously stopping with bombheaderre was passing through during the bad regex. Michael Thomas Mathbox 978-687-3300 Toll Free: 1-877-MATHBOX (1-877-628-4269) On 9/29/2011 8:29 AM, Thomas Eckardt wrote: > If assp is able to correct a bad regex or to ignore an invalid change - > this is not shown in the stats - because the used regex is OK. > The stats shows the running state not the configured! > >> 11-Sep-28 16:20:20 [Main_Thread] Warning: value for bombHeaderRe was not > changed - all changes are ignored >> 11-Sep-28 16:20:20 [Main_Thread] Info: try to use unoptimized regex > bombHeaderRe > > If you restart assp with this bad regex (in a file) - assp will not be > able to ignore changes - and will show this in the stats. > > Thomas > > > > > > Von: Michael Thomas<[email protected]> > An: ASSP development mailing list<[email protected]> > Datum: 28.09.2011 23:32 > Betreff: [Assp-test] ASSP Worker/DB/Regex Status failed to detect > bad weighted regex > > > > > Thomas, > > I inadvertently created a bad weight in a regex. Log snippet below. I > noted increased spam, but did not associate it with a bad regex for > about 48 hours. During that time, ASSP Worker/DB/Regex Status reported > healthy, with no failed regular expressions. I check it regularly. > > Running version: ASSP version 2.0.2(3.0.03) > Yes, I am going to upgrade. Been really busy. > > 11-Sep-28 16:20:20 [Main_Thread] Error: weighted regex for bombHeaderRe > is invalid 'Hundred.?Day)~.?Loan=>100' - Unmatched ) in regex; marked by > <-- HERE in m/Hundred.?Day)<-- HERE ~.?Loan/ at C:\ASSP\assp.pl line > 36924. > 11-Sep-28 16:20:20 [Main_Thread] Warning: value for bombHeaderRe was not > changed - all changes are ignored > 11-Sep-28 16:20:20 [Main_Thread] Info: try to use unoptimized regex > bombHeaderRe > > > > > ------------------------------------------------------------------------------ > All the data continuously generated in your IT infrastructure contains a > definitive record of customers, application performance, security > threats, fraudulent activity and more. Splunk takes this data and makes > sense of it. Business sense. IT sense. Common sense. > http://p.sf.net/sfu/splunk-d2dcopy1 > > > > _______________________________________________ > Assp-test mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/assp-test ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2 _______________________________________________ Assp-test mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/assp-test
