Re: [Simple-evcorr-users] Negation

Fri, 17 Mar 2017 09:48:28 -0700 

James,

The pattern would need to be a little different to work correctly.

The \S+ is breaking it.

This would be easier to see an actual log line, but try this...

\/\/[^\/ ]+(?!\.net|\.org)\/\S+.php\?id=[0-9A-Za-z]{8}


On Fri, 17 Mar 2017, James Lay wrote:

> Date: Fri, 17 Mar 2017 11:13:05 -0500
> From: James Lay <j...@slave-tothe-box.net>
> To: simple-evcorr-users@lists.sourceforge.net
> Subject: Re: [Simple-evcorr-users] Negation
> 
> So ok...using regex101.com it looks like org still matches...should I
> just try and test using sec or does regex101.com mirror what sec would
> do?  Example:
>
> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
>
>
> bleh://something[.]org/something/something.php?id=sj98sdf7s978sdf
>
> and this still matches, again, according to regex101.  Might have to
> just give it a test.  Thanks again...VERY helpful!
>
> James
>
> On 2017-03-17 10:02, Todd M. Hall wrote:
>> Let us know if it works or not so it'll be searchable for others later.
>> Performance won't likely be a problem unless you have a busy SEC
>> process.
>>
>>
>> On Fri, 17 Mar 2017, James Lay wrote:
>>
>>> Date: Fri, 17 Mar 2017 10:47:00 -0500
>>> From: James Lay <j...@slave-tothe-box.net>
>>> To: simple-evcorr-users@lists.sourceforge.net
>>> Subject: Re: [Simple-evcorr-users] Negation
>>>
>>> Thanks Todd...I had the regex101.com link up and trying to learn about
>>> lookahead/behind...it makes me head hurt.
>>>
>>> James
>>>
>>> On 2017-03-17 09:02, Todd M. Hall wrote:
>>>> I've not verified if this works in SEC, but you could maybe do a
>>>> negative
>>>> lookahead/behind
>>>>
>>>> \.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org)
>>>>
>>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
>>>>
>>>> There may be a bit of a performance hit with using these though.
>>>> Give
>>>> them a
>>>> try.
>>>>
>>>>
>>>> On Thu, 16 Mar 2017, James Lay wrote:
>>>>
>>>>> Date: Thu, 16 Mar 2017 17:42:25 -0500
>>>>> From: James Lay <j...@slave-tothe-box.net>
>>>>> To: Simple Event Corralator
>>>>> <simple-evcorr-users@lists.sourceforge.net>
>>>>> Subject: [Simple-evcorr-users] Negation
>>>>>
>>>>> Hey all,
>>>>>
>>>>> So I'm trying to create a rule to match this pattern:
>>>>>
>>>>> "\.php\?id=[0-9A-Za-z]{8}"
>>>>>
>>>>> The caveat is that I can't match certain things like, for example
>>>>> "\.net|\.org".  How do I create a regex with negation for SEC?
>>>>> Thank
>>>>> you.
>>>>>
>>>>> James
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Simple-evcorr-users mailing list
>>>>> Simple-evcorr-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>>
>>>>
>>>> --
>>>> Todd M. Hall
>>>> Sr. Network Analyst
>>>> Information Technology Services
>>>> Mississippi State University
>>>> t...@msstate.edu
>>>> 662-325-9311 (phone)
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Simple-evcorr-users mailing list
>>>> Simple-evcorr-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>
>>
>> --
>> Todd M. Hall
>> Sr. Network Analyst
>> Information Technology Services
>> Mississippi State University
>> t...@msstate.edu
>> 662-325-9311 (phone)
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>

-- 
Todd M. Hall
Sr. Network Analyst
Information Technology Services
Mississippi State University
t...@msstate.edu
662-325-9311 (phone)

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users

Reply via email to