04-26-2012 02:29 AM
Does anyone know the logic used to interpret data patterns/filtering expressions?
By this I mean, if I have two patterns:-
Confidential\\Eyes-Only (exact match Confidential\Eyes-Only)
and
Confidential\\.+ (wildcard match Confidential\*)
Will a file with the string 'Confidential\Eyes-Only' match the former, as the closest match, or the latter as the 'widest' match. There doesn't appear to be a way to order patterns in threat policies, so other than creating dedicated threat policies for each string, and applying them to individual rules, this function seems quite limited.
Also, I have noticed that commit times have increased 5x when working with these type of cutom signatures, does anyone know if this is a sign that my regex logix is 'bad'?
Ta
05-15-2012 04:45 PM
With Custom signatures / Data patterns commit times are seen to be longer
The longer more specific match should match first and the wildcard * option should be below the more specific string - like policies and shadowing.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
