I've done tests with your bad regex - and ASSP is working like expected.
1. if you save the file, you get a red hint at top of the edit window that
the regex is bad
2. if you ignore (1) and you reload or restart the GUI, you get a java
popup that the regex is bad - and the bad regex is shown in the stats -
and the healthy dot is red
If you restart ASSP with the bad regex, the regex is set to a
'never-match' one.
How ever, if you open the GUI after restart - you'll get the java popup
and the stats dot is red and the regex status shows the mistake in red.
>Also, all of the spam I was previously stopping with bombheaderre was
passing through during the bad regex.
This is expected, because the failed regex will never match, if assp is
restarted. If ASSP is still running after your bad changes - the old regex
will be used.
How ever - there is a incomplete code part for non weighted regexes - this
will be corrected in the next release.
Thomas
Von: Michael Thomas <[email protected]>
An: ASSP development mailing list <[email protected]>
Datum: 01.10.2011 09:51
Betreff: Re: [Assp-test] Antwort: ASSP Worker/DB/Regex Status
failed to detect bad weighted regex
Thomas,
> If you restart assp with this bad regex (in a file) - assp will not be
> able to ignore changes - and will show this in the stats.
The bad regex was in the bombheaderre.txt file for at least two days.
What I did not mention is that I have my ASSP config set to restart
after midnight. Anyway, I duplicated the bad regex; saved it; and
restarted ASSP via services control panel. After restart, the REGEX
Status was "no failed regular expressions". However, bombheaderre failed
to load. Below is a log snippet of ASSP trying twice to load bombheaderre:
11-Oct-01 03:22:29 [startup] Error: weighted regex for bombHeaderRe is
invalid 'Hundred.?Day)~.?Loan=>100' - Unmatched ) in regex; marked by
<-- HERE in m/Hundred.?Day) <-- HERE ~.?Loan/ at C:\ASSP\assp.pl line
36924.
11-Oct-01 03:22:29 [startup] Warning: value for bombHeaderRe was not
changed - all changes are ignored
11-Oct-01 03:22:29 [startup] Info: try to use unoptimized regex
bombHeaderRe
11-Oct-01 03:22:32 [startup] Error: weighted regex for bombHeaderRe is
invalid 'Hundred.?Day)~.?Loan=>100' - Unmatched ) in regex; marked by
<-- HERE in m/Hundred.?Day) <-- HERE ~.?Loan/ at C:\ASSP\assp.pl line
36924.
11-Oct-01 03:22:32 [startup] Warning: value for bombHeaderRe was not
changed - all changes are ignored
The complete bad regex was:
From: ?"?One.?(?:Hour|Hundred.?Day)~.?Loan=>100
Two errors: unmatched tilde and "=>100" in incorrect location, should
have been after the tilde.
Also, all of the spam I was previously stopping with bombheaderre was
passing through during the bad regex.
Michael Thomas
Mathbox
978-687-3300
Toll Free: 1-877-MATHBOX (1-877-628-4269)
On 9/29/2011 8:29 AM, Thomas Eckardt wrote:
> If assp is able to correct a bad regex or to ignore an invalid change -
> this is not shown in the stats - because the used regex is OK.
> The stats shows the running state not the configured!
>
>> 11-Sep-28 16:20:20 [Main_Thread] Warning: value for bombHeaderRe was
not
> changed - all changes are ignored
>> 11-Sep-28 16:20:20 [Main_Thread] Info: try to use unoptimized regex
> bombHeaderRe
>
> If you restart assp with this bad regex (in a file) - assp will not be
> able to ignore changes - and will show this in the stats.
>
> Thomas
>
>
>
>
>
> Von: Michael Thomas<[email protected]>
> An: ASSP development mailing list<[email protected]>
> Datum: 28.09.2011 23:32
> Betreff: [Assp-test] ASSP Worker/DB/Regex Status failed to detect
> bad weighted regex
>
>
>
>
> Thomas,
>
> I inadvertently created a bad weight in a regex. Log snippet below. I
> noted increased spam, but did not associate it with a bad regex for
> about 48 hours. During that time, ASSP Worker/DB/Regex Status reported
> healthy, with no failed regular expressions. I check it regularly.
>
> Running version: ASSP version 2.0.2(3.0.03)
> Yes, I am going to upgrade. Been really busy.
>
> 11-Sep-28 16:20:20 [Main_Thread] Error: weighted regex for bombHeaderRe
> is invalid 'Hundred.?Day)~.?Loan=>100' - Unmatched ) in regex; marked by
> <-- HERE in m/Hundred.?Day)<-- HERE ~.?Loan/ at C:\ASSP\assp.pl line
> 36924.
> 11-Sep-28 16:20:20 [Main_Thread] Warning: value for bombHeaderRe was not
> changed - all changes are ignored
> 11-Sep-28 16:20:20 [Main_Thread] Info: try to use unoptimized regex
> bombHeaderRe
>
>
>
>
>
------------------------------------------------------------------------------
> All the data continuously generated in your IT infrastructure contains a
> definitive record of customers, application performance, security
> threats, fraudulent activity and more. Splunk takes this data and makes
> sense of it. Business sense. IT sense. Common sense.
> http://p.sf.net/sfu/splunk-d2dcopy1
>
>
>
> _______________________________________________
> Assp-test mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
