Minemeld Regex

Reply
Highlighted
L0 Member

Minemeld Regex

I want to only use the url portion of this feed ignoring the protocol portion http://

 

https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

 

My regex is below:

 

regex: ^(http:\/\/)(.*)
transform: \2

 

This works fine outside Minemeld as python regex. However, Minemeld uses the full match which includes the protocol portion not just group 2 of the match in my aggregated feed.

Tags (2)
L7 Applicator

Re: Minemeld Regex

Hi @bokeke,

you should do something like this (tested):

age_out:
    default: null
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: URL
ignore_regex: ^#
indicator:
    regex: ^(http[s]*:\/\/)(.*)
    transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.

L0 Member

Re: Minemeld Regex

Thanks imori Your regex under indicator works.

L2 Linker

Re: Minemeld Regex

@lmori Has anyone got this working for a taxii client feed instead of a csv file feed?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!