I've not verified if this works in SEC, but you could maybe do a negative
lookahead/behind
\.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org)
(?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
There may be a bit of a performance hit with using these though. Give them a
try.
On Thu, 16 Mar 2017, James Lay wrote:
> Date: Thu, 16 Mar 2017 17:42:25 -0500
> From: James Lay <j...@slave-tothe-box.net>
> To: Simple Event Corralator <simple-evcorr-users@lists.sourceforge.net>
> Subject: [Simple-evcorr-users] Negation
>
> Hey all,
>
> So I'm trying to create a rule to match this pattern:
>
> "\.php\?id=[0-9A-Za-z]{8}"
>
> The caveat is that I can't match certain things like, for example
> "\.net|\.org". How do I create a regex with negation for SEC? Thank
> you.
>
> James
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
--
Todd M. Hall
Sr. Network Analyst
Information Technology Services
Mississippi State University
t...@msstate.edu
662-325-9311 (phone)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
