Thanks Risto that really helps! James
On 2017-03-17 12:00, Risto Vaarandi wrote: > hi James, > Suppress rule has fortunately few fields and works in a > straightforward way (you also read more about it in the official > documentation http://simple-evcorr.github.io/man.html when clicking on > the link "Suppress Rule": > http://simple-evcorr.github.io/man.html#lbAT). > > Just to provide one example, consider the following rule: > > type=Suppress > ptype=RegExp > pattern=http:\/\/[\w-]+\.example\.com > > This rule matches any input lines which contain URLs for hosts in > example.com domain (like http://host1.example.com or > http://abc.example.com). The above Suppress rule will simply not pass > matching line to the following rules for further processing. If you > would like to exclude .org and .net top level domains, you could use a > very simple regular expression like \.(net|org)\/ in the Suppress > rule. However, for avoiding accidental matches by other parts of the > URL, you could also make this expression a bit more complex, such as > http:\/\/[\/]+\.(net|org)\/ or perhaps http:\/\/[\w.-]+\.(net|org)\/. > > Suppress rule has of course one caveat -- it will filter out matching > events for all the following rules, not just one of them. So if you > append more rules into the same rule file, the Suppress rule will > influence all of them. > > Also, as John pointed out, Single rule with 'logonly' action is > essentially the same as Suppress, and it can be helpful during initial > development, since you get log messages for all lines matched by the > filtering rule. It is straightforward to turn this Single rule into > Suppress when testing is complete. > > hope this helps, > risto > > 2017-03-17 19:29 GMT+02:00 James Lay <j...@slave-tothe-box.net>: >> Thanks a bunch Risto..that totally worked. As for the Suppress >> rule..that >> really does sound like the easiest way to go...my challenge at the >> time was >> that my logonly impacted my entire configuration. Is there a link I >> can >> read that will show me how to do a per rule suppress? And the >> breakdown of >> the full expression was REALLY helpful...thanks again so much for all >> your >> great work as well Risto...I can't imagine running a box without sec >> on it. >> >> James >> >> >> On 2017-03-17 11:23, Risto Vaarandi wrote: >>> >>> hi Todd and James, >>> >>> if I may, maybe I can adjust the previous expression just a little a >>> bit: >>> >>> \/\/([^\/.]+\.)*(?!net\/|org\/)[^\/.]+\/\S+\.php\?id=[0-9A-Za-z]{8} >>> >>> Maybe I can also explain some key components: >>> >>> \/\/ -- match two slashes >>> [^\/.]+ -- match a sequence of characters which are neither slashes >>> nor dots (used to match one part from a multipart name, e.g. >>> "example" >>> from "www.example.com") >>> ([^\/.]+\.)* -- match all name parts that precede the last part >>> (e.g., >>> "www.example." from "www.example.com") >>> (?!net\/|org\/) -- make sure the last name part if neither "net" nor >>> "org" with a separating slash >>> [^\/.]+\/ -- match the last name part with a separating slash (if >>> your >>> top-level domains are known to contain letters only, you can rewrite >>> this construct as [A-Za-z]+\/ for the sake of readability) >>> >>> I have only done couple of tests with the above expression and >>> hopefully there are no mistakes in it :-) >>> >>> But if you want to keep things as simple as possible, maybe you can >>> follow John's advise and employ a filtering rule before the main rule >>> (sec has a special rule type Suppress for such filtering tasks). >>> >>> There is yet another alternative -- if you want to split the above >>> complex regular expression into two expressions which are joined with >>> "(NOT regex1) AND regex2", you can take advantage of the PerlFunc >>> pattern. >>> >>> Hope this helps, >>> risto >>> >>> >>> 2017-03-17 18:46 GMT+02:00 Todd M. Hall <t...@msstate.edu>: >>>> >>>> James, >>>> >>>> The pattern would need to be a little different to work correctly. >>>> >>>> The \S+ is breaking it. >>>> >>>> This would be easier to see an actual log line, but try this... >>>> >>>> \/\/[^\/ ]+(?!\.net|\.org)\/\S+.php\?id=[0-9A-Za-z]{8} >>>> >>>> >>>> On Fri, 17 Mar 2017, James Lay wrote: >>>> >>>>> Date: Fri, 17 Mar 2017 11:13:05 -0500 >>>>> From: James Lay <j...@slave-tothe-box.net> >>>>> To: simple-evcorr-users@lists.sourceforge.net >>>>> Subject: Re: [Simple-evcorr-users] Negation >>>>> >>>>> So ok...using regex101.com it looks like org still matches...should >>>>> I >>>>> just try and test using sec or does regex101.com mirror what sec >>>>> would >>>>> do? Example: >>>>> >>>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8} >>>>> >>>>> >>>>> bleh://something[.]org/something/something.php?id=sj98sdf7s978sdf >>>>> >>>>> and this still matches, again, according to regex101. Might have >>>>> to >>>>> just give it a test. Thanks again...VERY helpful! >>>>> >>>>> James >>>>> >>>>> On 2017-03-17 10:02, Todd M. Hall wrote: >>>>>> >>>>>> Let us know if it works or not so it'll be searchable for others >>>>>> later. >>>>>> Performance won't likely be a problem unless you have a busy SEC >>>>>> process. >>>>>> >>>>>> >>>>>> On Fri, 17 Mar 2017, James Lay wrote: >>>>>> >>>>>>> Date: Fri, 17 Mar 2017 10:47:00 -0500 >>>>>>> From: James Lay <j...@slave-tothe-box.net> >>>>>>> To: simple-evcorr-users@lists.sourceforge.net >>>>>>> Subject: Re: [Simple-evcorr-users] Negation >>>>>>> >>>>>>> Thanks Todd...I had the regex101.com link up and trying to learn >>>>>>> about >>>>>>> lookahead/behind...it makes me head hurt. >>>>>>> >>>>>>> James >>>>>>> >>>>>>> On 2017-03-17 09:02, Todd M. Hall wrote: >>>>>>>> >>>>>>>> I've not verified if this works in SEC, but you could maybe do a >>>>>>>> negative >>>>>>>> lookahead/behind >>>>>>>> >>>>>>>> \.php\?id=[0-9A-Za-z]{8}(?!\.net|\.org) >>>>>>>> >>>>>>>> (?<!\.net|\.org)\S+\.php\?id=[0-9A-Za-z]{8} >>>>>>>> >>>>>>>> There may be a bit of a performance hit with using these though. >>>>>>>> Give >>>>>>>> them a >>>>>>>> try. >>>>>>>> >>>>>>>> >>>>>>>> On Thu, 16 Mar 2017, James Lay wrote: >>>>>>>> >>>>>>>>> Date: Thu, 16 Mar 2017 17:42:25 -0500 >>>>>>>>> From: James Lay <j...@slave-tothe-box.net> >>>>>>>>> To: Simple Event Corralator >>>>>>>>> <simple-evcorr-users@lists.sourceforge.net> >>>>>>>>> Subject: [Simple-evcorr-users] Negation >>>>>>>>> >>>>>>>>> Hey all, >>>>>>>>> >>>>>>>>> So I'm trying to create a rule to match this pattern: >>>>>>>>> >>>>>>>>> "\.php\?id=[0-9A-Za-z]{8}" >>>>>>>>> >>>>>>>>> The caveat is that I can't match certain things like, for >>>>>>>>> example >>>>>>>>> "\.net|\.org". How do I create a regex with negation for SEC? >>>>>>>>> Thank >>>>>>>>> you. >>>>>>>>> >>>>>>>>> James >>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>>>> _______________________________________________ >>>>>>>>> Simple-evcorr-users mailing list >>>>>>>>> Simple-evcorr-users@lists.sourceforge.net >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Todd M. Hall >>>>>>>> Sr. Network Analyst >>>>>>>> Information Technology Services >>>>>>>> Mississippi State University >>>>>>>> t...@msstate.edu >>>>>>>> 662-325-9311 (phone) >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>>> _______________________________________________ >>>>>>>> Simple-evcorr-users mailing list >>>>>>>> Simple-evcorr-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>>>>> >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Check out the vibrant tech community on one of the world's most >>>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>>> _______________________________________________ >>>>>>> Simple-evcorr-users mailing list >>>>>>> Simple-evcorr-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>>>>> >>>>>> >>>>>> -- >>>>>> Todd M. Hall >>>>>> Sr. Network Analyst >>>>>> Information Technology Services >>>>>> Mississippi State University >>>>>> t...@msstate.edu >>>>>> 662-325-9311 (phone) >>>>>> >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Check out the vibrant tech community on one of the world's most >>>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>>> _______________________________________________ >>>>>> Simple-evcorr-users mailing list >>>>>> Simple-evcorr-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>>> >>>>> >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Check out the vibrant tech community on one of the world's most >>>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>>> _______________________________________________ >>>>> Simple-evcorr-users mailing list >>>>> Simple-evcorr-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users >>>>> >>>> >>>> -- >>>> Todd M. Hall >>>> Sr. Network Analyst >>>> Information Technology Services >>>> Mississippi State University >>>> t...@msstate.edu >>>> 662-325-9311 (phone) >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Check out the vibrant tech community on one of the world's most >>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>>> _______________________________________________ >>>> Simple-evcorr-users mailing list >>>> Simple-evcorr-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
