hi Todd and James,
if I may, maybe I can adjust the previous expression just a little a bit:
\/\/([^\/.]+\.)*(?!net\/|org\/)[^\/.]+\/\S+\.php\?id=[0-9A-Za-z]{8}
Maybe I can also explain some key components:
\/\/ -- match two slashes
[^\/.]+ -- match a sequence of characters which are neither slashes
nor dots (used to match one part from a multipart name, e.g. "example"
from "www.example.com")
([^\/.]+\.)* -- match all name parts that precede the last part (e.g.,
"www.example." from "www.example.com")
(?!net\/|org\/) -- make sure the last name part if neither "net" nor
"org" with a separating slash
[^\/.]+\/ -- match the last name part with a separating slash (if your
top-level domains are known to contain letters only, you can rewrite
this construct as [A-Za-z]+\/ for the sake of readability)
I have only done couple of tests with the above expression and
hopefully there are no mistakes in it :-)
But if you want to keep things as simple as possible, maybe you can
follow John's advise and employ a filtering rule before the main rule
(sec has a special rule type Suppress for such filtering tasks).
There is yet another alternative -- if you want to split the above
complex regular expression into two expressions which are joined with
"(NOT regex1) AND regex2", you can take advantage of the PerlFunc
pattern.
Hope this helps,
risto
2017-03-17 18:46 GMT+02:00 Todd M. Hall <t...@msstate.edu>:
> James,
>
> The pattern would need to be a little different to work correctly.
>
> The \S+ is breaking it.
>
> This would be easier to see an actual log line, but try this...
>
> \/\/[^\/ ]+(?!\.net|\.org)\/\S+.php\?id=[0-9A-Za-z]{8}
>
>
> On Fri, 17 Mar 2017, James Lay wrote:
>
>> Date: Fri, 17 Mar 2017 11:13:05 -0500
>> From: James Lay <j...@slave-tothe-box.net>
>> To: simple-evcorr-users@lists.sourceforge.net
>> Subject: Re: [Simple-evcorr-users] Negation
>>
>> So ok...using regex101.com it looks like org still matches...should I
>> just try and test using sec or does regex101.com mirror what sec would
>> do? Example:
>>
>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
>>
>>
>> bleh://something[.]org/something/something.php?id=sj98sdf7s978sdf
>>
>> and this still matches, again, according to regex101. Might have to
>> just give it a test. Thanks again...VERY helpful!
>>
>> James
>>
>> On 2017-03-17 10:02, Todd M. Hall wrote:
>>> Let us know if it works or not so it'll be searchable for others later.
>>> Performance won't likely be a problem unless you have a busy SEC
>>> process.
>>>
>>>
>>> On Fri, 17 Mar 2017, James Lay wrote:
>>>
>>>> Date: Fri, 17 Mar 2017 10:47:00 -0500
>>>> From: James Lay <j...@slave-tothe-box.net>
>>>> To: simple-evcorr-users@lists.sourceforge.net
>>>> Subject: Re: [Simple-evcorr-users] Negation
>>>>
>>>> Thanks Todd...I had the regex101.com link up and trying to learn about
>>>> lookahead/behind...it makes me head hurt.
>>>>
>>>> James
>>>>
>>>> On 2017-03-17 09:02, Todd M. Hall wrote:
>>>>> I've not verified if this works in SEC, but you could maybe do a
>>>>> negative
>>>>> lookahead/behind
>>>>>
>>>>> \.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org)
>>>>>
>>>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8}
>>>>>
>>>>> There may be a bit of a performance hit with using these though.
>>>>> Give
>>>>> them a
>>>>> try.
>>>>>
>>>>>
>>>>> On Thu, 16 Mar 2017, James Lay wrote:
>>>>>
>>>>>> Date: Thu, 16 Mar 2017 17:42:25 -0500
>>>>>> From: James Lay <j...@slave-tothe-box.net>
>>>>>> To: Simple Event Corralator
>>>>>> <simple-evcorr-users@lists.sourceforge.net>
>>>>>> Subject: [Simple-evcorr-users] Negation
>>>>>>
>>>>>> Hey all,
>>>>>>
>>>>>> So I'm trying to create a rule to match this pattern:
>>>>>>
>>>>>> "\.php\?id=[0-9A-Za-z]{8}"
>>>>>>
>>>>>> The caveat is that I can't match certain things like, for example
>>>>>> "\.net|\.org". How do I create a regex with negation for SEC?
>>>>>> Thank
>>>>>> you.
>>>>>>
>>>>>> James
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> Check out the vibrant tech community on one of the world's most
>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>>> _______________________________________________
>>>>>> Simple-evcorr-users mailing list
>>>>>> Simple-evcorr-users@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>>>
>>>>>
>>>>> --
>>>>> Todd M. Hall
>>>>> Sr. Network Analyst
>>>>> Information Technology Services
>>>>> Mississippi State University
>>>>> t...@msstate.edu
>>>>> 662-325-9311 (phone)
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Check out the vibrant tech community on one of the world's most
>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>>> _______________________________________________
>>>>> Simple-evcorr-users mailing list
>>>>> Simple-evcorr-users@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Check out the vibrant tech community on one of the world's most
>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>> _______________________________________________
>>>> Simple-evcorr-users mailing list
>>>> Simple-evcorr-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>>>
>>>
>>> --
>>> Todd M. Hall
>>> Sr. Network Analyst
>>> Information Technology Services
>>> Mississippi State University
>>> t...@msstate.edu
>>> 662-325-9311 (phone)
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Simple-evcorr-users mailing list
>>> Simple-evcorr-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Simple-evcorr-users mailing list
>> Simple-evcorr-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
>>
>
> --
> Todd M. Hall
> Sr. Network Analyst
> Information Technology Services
> Mississippi State University
> t...@msstate.edu
> 662-325-9311 (phone)
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Simple-evcorr-users mailing list
> Simple-evcorr-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Simple-evcorr-users mailing list
Simple-evcorr-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
