In message <d4369eeb41a9b78afcdbb5a5535b3020@localhost>,
James Lay writes:
>So I'm trying to create a rule to match this pattern:
>
>"\.php\?id=[0-9A-Za-z]{8}"
>
>The caveat is that I can't match certain things like, for example
>"\.net|\.org". How do I create a regex with negation for SEC? Thank
>you.
If I understand you correctly, you want to use the following sequence
of rules:
type = single
comment = rule 1
ptype = regexp
pattern = \.net|\.org
action = logonly
type = single
comment = rule 2
ptype = regexp
pattern = \.php\?id=[0-9A-Za-z]{8}
[...]
action = do something.
Rule 1 will match what you want to exclude. By default a matching rule
stops processing for the event.
So this sequence will prevent any event matching .net or .org from
being seen by rule 2.
I assume you will want https?://[^/]+(\.net|\.org)/ or something to
constrain where .org or .net show up in rule 1.
Also there is a way to trigger a rule if a regexp does not
match. Look for pattern type (ptype) nregexp in the man page.
I don't think that's what you want for your use case but...
Hope this helps.
--
-- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
