Minemeld Regex

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Minemeld Regex

L0 Member

I want to only use the url portion of this feed ignoring the protocol portion http://

 

https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

 

My regex is below:

 

regex: ^(http:\/\/)(.*)
transform: \2

 

This works fine outside Minemeld as python regex. However, Minemeld uses the full match which includes the protocol portion not just group 2 of the match in my aggregated feed.

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @bokeke,

you should do something like this (tested):

age_out:
    default: null
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: URL
ignore_regex: ^#
indicator:
    regex: ^(http[s]*:\/\/)(.*)
    transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.

View solution in original post

3 REPLIES 3

L7 Applicator

Hi @bokeke,

you should do something like this (tested):

age_out:
    default: null
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: URL
ignore_regex: ^#
indicator:
    regex: ^(http[s]*:\/\/)(.*)
    transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.

Thanks imori Your regex under indicator works.

@lmori Has anyone got this working for a taxii client feed instead of a csv file feed?

  • 1 accepted solution
  • 6298 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!