This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Feeds with Regex

RamonMartinez1
Beginner
Beginner

‎2016-08-29 01:24 PM

Hi,

 

We have a list of URL domains with regex expressions, these domains changes often, but it is still have a pattern so that we can match with regex expression. 

 

Is it possible to upload a regex feed and then make them be readable as regex on app rule and/or ESA?

 

Thank you!

0 Likes
3 REPLIES 3

Anonymous
Not applicable

‎2016-09-16 07:45 AM

No.  It is not possible to have a feed based on regular expressions.  Feeds, and the underlaying csv file, would be exact matches.

SalSanshez
Beginner
Beginner

‎2016-09-16 11:21 AM

Can you post an example?

0 Likes

KennyKim
Occasional Contributor
Occasional Contributor

‎2016-09-20 02:48 AM

There is another chance to match the suspicious domains using regex.

If you are using reporting engine in SA HEAD, 

- you can make LIST containing the regex domains.

- you can make a rule to trigger the match

- you can make an alert if something triggered.

 

the domain can be identified as 'hostname' in SA.

 

you can use like this

hostname regex [$BADDOAMIN]

where

   BADDOMAIN is a list created by you.

 

If any question for further, don't hesitate to leave any comments here.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.