Can you explain exactly what your use case is here? What are the contents of the extensions LIST, and why do you need to use regex to match against it?
Also, it appears your regex has two extra right parenthesis:
I don't know that using a context hub list will be appropriate for your use case. In some traffic from my lab for files with multiple extensions, the extension meta key ended up like this:
Your traffic may be different, but if not then you'd need to have every single one of these possible multiple-extension strings defined in your list (because we can only do exact string matching with context hub lists currently)....which is not exactly a reasonable or feasible task...
That said, when it comes to doing the actual matching of your filenames, you'll have a few different options (https://community.rsa.com/docs/DOC-104243#Multi-Va😞
- REGEXP (as you tried already)
- matchLike
- matchRegex
- asStringArray
Some examples of what these could look like for your use case:
@RSAAlert
@Name('REGEXP alert')
SELECT * FROM Event(
(asStringArray(filename)).anyOf(v => v REGEXP '.+\.(exe|msi|bat)\..+')
);
@RSAAlert
@Name('matchLike alert')
SELECT * FROM Event(
matchLike(filename, '%.exe.%')
OR matchLike(filename, '%.msi.%')
OR matchLike(filename, '%.bat.%')
);
@RSAAlert
@Name('matchRegex alert')
SELECT * FROM Event(
matchRegex(filename, '.+\.(exe|msi|bat)\..+')
);
These will explicitly look for exe, msi, and bat extensions (of course, you can add more), but this is a bit rigid.
If you want to just match against any/all files with a filename.ext1.ext2 type of structure, you could replace the regex above with your original regex....but that will generate a whooooooole lot of false positives so I'd recommend you add some additional filtering to your rule to try to eliminate those as much as possible.
