Hi Todd, Since SEC is written in Perl, it uses Perl's regular expression engine, and therefore supports all regular expression features that are supported by the underlying Perl version. Since SEC requires perl 5.8 or later which all have lookaheads and lookbehinds, they can also be used in rule definitions. Kind regards, risto
> -----Original Message----- > From: Todd M. Hall [mailto:t...@msstate.edu] > Sent: Friday, March 17, 2017 5:02 PM > To: Simple Event Corralator <simple-evcorr-users@lists.sourceforge.net> > Subject: Re: [Simple-evcorr-users] Negation > > I've not verified if this works in SEC, but you could maybe do a negative > lookahead/behind > > \.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org) > > (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8} > > There may be a bit of a performance hit with using these though. Give them > a try. > > > On Thu, 16 Mar 2017, James Lay wrote: > > > Date: Thu, 16 Mar 2017 17:42:25 -0500 > > From: James Lay <j...@slave-tothe-box.net> > > To: Simple Event Corralator <simple-evcorr-users@lists.sourceforge.net> > > Subject: [Simple-evcorr-users] Negation > > > > Hey all, > > > > So I'm trying to create a rule to match this pattern: > > > > "\.php\?id=[0-9A-Za-z]{8}" > > > > The caveat is that I can't match certain things like, for example > > "\.net|\.org". How do I create a regex with negation for SEC? Thank > > you. > > > > James > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > _______________________________________________ > > Simple-evcorr-users mailing list > > Simple-evcorr-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > > > > -- > Todd M. Hall > Sr. Network Analyst > Information Technology Services > Mississippi State University > t...@msstate.edu > 662-325-9311 (phone) > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Simple-evcorr-users mailing list > Simple-evcorr-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
