hi James, Suppress rule has fortunately few fields and works in a straightforward way (you also read more about it in the official documentation http://simple-evcorr.github.io/man.html when clicking on the link "Suppress Rule": http://simple-evcorr.github.io/man.html#lbAT).
Just to provide one example, consider the following rule: type=Suppress ptype=RegExp pattern=http:\/\/[\w-]+\.example\.com This rule matches any input lines which contain URLs for hosts in example.com domain (like http://host1.example.com or http://abc.example.com). The above Suppress rule will simply not pass matching line to the following rules for further processing. If you would like to exclude .org and .net top level domains, you could use a very simple regular expression like \.(net|org)\/ in the Suppress rule. However, for avoiding accidental matches by other parts of the URL, you could also make this expression a bit more complex, such as http:\/\/[\/]+\.(net|org)\/ or perhaps http:\/\/[\w.-]+\.(net|org)\/. Suppress rule has of course one caveat -- it will filter out matching events for all the following rules, not just one of them. So if you append more rules into the same rule file, the Suppress rule will influence all of them. Also, as John pointed out, Single rule with 'logonly' action is essentially the same as Suppress, and it can be helpful during initial development, since you get log messages for all lines matched by the filtering rule. It is straightforward to turn this Single rule into Suppress when testing is complete. hope this helps, risto 2017-03-17 19:29 GMT+02:00 James Lay <j...@slave-tothe-box.net>: > Thanks a bunch Risto..that totally worked. As for the Suppress rule..that > really does sound like the easiest way to go...my challenge at the time was > that my logonly impacted my entire configuration. Is there a link I can > read that will show me how to do a per rule suppress? And the breakdown of > the full expression was REALLY helpful...thanks again so much for all your > great work as well Risto...I can't imagine running a box without sec on it. > > James > > > On 2017-03-17 11:23, Risto Vaarandi wrote: >> >> hi Todd and James, >> >> if I may, maybe I can adjust the previous expression just a little a bit: >> >> \/\/([^\/.]+\.)*(?!net\/|org\/)[^\/.]+\/\S+\.php\?id=[0-9A-Za-z]{8} >> >> Maybe I can also explain some key components: >> >> \/\/ -- match two slashes >> [^\/.]+ -- match a sequence of characters which are neither slashes >> nor dots (used to match one part from a multipart name, e.g. "example" >> from "www.example.com") >> ([^\/.]+\.)* -- match all name parts that precede the last part (e.g., >> "www.example." from "www.example.com") >> (?!net\/|org\/) -- make sure the last name part if neither "net" nor >> "org" with a separating slash >> [^\/.]+\/ -- match the last name part with a separating slash (if your >> top-level domains are known to contain letters only, you can rewrite >> this construct as [A-Za-z]+\/ for the sake of readability) >> >> I have only done couple of tests with the above expression and >> hopefully there are no mistakes in it :-) >> >> But if you want to keep things as simple as possible, maybe you can >> follow John's advise and employ a filtering rule before the main rule >> (sec has a special rule type Suppress for such filtering tasks). >> >> There is yet another alternative -- if you want to split the above >> complex regular expression into two expressions which are joined with >> "(NOT regex1) AND regex2", you can take advantage of the PerlFunc >> pattern. >> >> Hope this helps, >> risto >> >> >> 2017-03-17 18:46 GMT+02:00 Todd M. Hall <t...@msstate.edu>: >>> >>> James, >>> >>> The pattern would need to be a little different to work correctly. >>> >>> The \S+ is breaking it. >>> >>> This would be easier to see an actual log line, but try this... >>> >>> \/\/[^\/ ]+(?!\.net|\.org)\/\S+.php\?id=[0-9A-Za-z]{8} >>> >>> >>> On Fri, 17 Mar 2017, James Lay wrote: >>> >>>> Date: Fri, 17 Mar 2017 11:13:05 -0500 >>>> From: James Lay <j...@slave-tothe-box.net> >>>> To: simple-evcorr-users@lists.sourceforge.net >>>> Subject: Re: [Simple-evcorr-users] Negation >>>> >>>> So ok...using regex101.com it looks like org still matches...should I >>>> just try and test using sec or does regex101.com mirror what sec would >>>> do? Example: >>>> >>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8} >>>> >>>> >>>> bleh://something[.]org/something/something.php?id=sj98sdf7s978sdf >>>> >>>> and this still matches, again, according to regex101. Might have to >>>> just give it a test. Thanks again...VERY helpful! >>>> >>>> James >>>> >>>> On 2017-03-17 10:02, Todd M. Hall wrote: >>>>> >>>>> Let us know if it works or not so it'll be searchable for others later. >>>>> Performance won't likely be a problem unless you have a busy SEC >>>>> process. >>>>> >>>>> >>>>> On Fri, 17 Mar 2017, James Lay wrote: >>>>> >>>>>> Date: Fri, 17 Mar 2017 10:47:00 -0500 >>>>>> From: James Lay <j...@slave-tothe-box.net> >>>>>> To: simple-evcorr-users@lists.sourceforge.net >>>>>> Subject: Re: [Simple-evcorr-users] Negation >>>>>> >>>>>> Thanks Todd...I had the regex101.com link up and trying to learn about >>>>>> lookahead/behind...it makes me head hurt. >>>>>> >>>>>> James >>>>>> >>>>>> On 2017-03-17 09:02, Todd M. Hall wrote: >>>>>>> >>>>>>> I've not verified if this works in SEC, but you could maybe do a >>>>>>> negative >>>>>>> lookahead/behind >>>>>>> >>>>>>> \.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org) >>>>>>> >>>>>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8} >>>>>>> >>>>>>> There may be a bit of a performance hit with using these though. >>>>>>> Give >>>>>>> them a >>>>>>> try. >>>>>>> >>>>>>> >>>>>>> On Thu, 16 Mar 2017, James Lay wrote: >>>>>>> >>>>>>>> Date: Thu, 16 Mar 2017 17:42:25 -0500 >>>>>>>> From: James Lay <j...@slave-tothe-box.net> >>>>>>>> To: Simple Event Corralator >>>>>>>> <simple-evcorr-users@lists.sourceforge.net> >>>>>>>> Subject: [Simple-evcorr-users] Negation >>>>>>>> >>>>>>>> Hey all, >>>>>>>> >>>>>>>> So I'm trying to create a rule to match this pattern: >>>>>>>> >>>>>>>> "\.php\?id=[0-9A-Za-z]{8}" >>>>>>>> >>>>>>>> The caveat is that I can't match certain things like, for example >>>>>>>> "\.net|\.org". How do I create a regex with negation for SEC? >>>>>>>> Thank >>>>>>>> you. >>>>>>>> >>>>>>>> James >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>>> _______________________________________________ >>>>>>>> Simple-evcorr-users mailing list >>>>>>>> Simple-evcorr-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Todd M. Hall >>>>>>> Sr. Network Analyst >>>>>>> Information Technology Services >>>>>>> Mississippi State University >>>>>>> t...@msstate.edu >>>>>>> 662-325-9311 (phone) >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> Simple-evcorr-users mailing list >>>>>>> Simple-evcorr-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>>>> >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Simple-evcorr-users mailing list >>>>>> Simple-evcorr-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>>>> >>>>> >>>>> -- >>>>> Todd M. Hall >>>>> Sr. Network Analyst >>>>> Information Technology Services >>>>> Mississippi State University >>>>> t...@msstate.edu >>>>> 662-325-9311 (phone) >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Simple-evcorr-users mailing list >>>>> Simple-evcorr-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Simple-evcorr-users mailing list >>>> Simple-evcorr-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>> >>> >>> -- >>> Todd M. Hall >>> Sr. Network Analyst >>> Information Technology Services >>> Mississippi State University >>> t...@msstate.edu >>> 662-325-9311 (phone) >>> >>> >>> ------------------------------------------------------------------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Simple-evcorr-users mailing list >>> Simple-evcorr-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
