This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Minemeld Regex

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Minemeld Regex

Go to solution
bokeke
L0 Member

‎07-05-2017 11:16 AM

I want to only use the url portion of this feed ignoring the protocol portion http://

 

https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

 

My regex is below:

 

regex: ^(http:\/\/)(.*)
transform: \2

 

This works fine outside Minemeld as python regex. However, Minemeld uses the full match which includes the protocol portion not just group 2 of the match in my aggregated feed.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
lmori
L7 Applicator

‎07-07-2017 02:10 AM

Hi @bokeke,

you should do something like this (tested):

age_out:
    default: null
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: URL
ignore_regex: ^#
indicator:
    regex: ^(http[s]*:\/\/)(.*)
    transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
lmori
L7 Applicator

‎07-07-2017 02:10 AM

Hi @bokeke,

you should do something like this (tested):

age_out:
    default: null
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: URL
ignore_regex: ^#
indicator:
    regex: ^(http[s]*:\/\/)(.*)
    transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.

0 Likes Likes

Go to solution
bokeke
L0 Member
In response to lmori

‎07-07-2017 09:44 AM

Thanks imori Your regex under indicator works.

0 Likes Likes

Go to solution
Carlos_Gomes
L3 Networker
In response to bokeke

‎07-11-2019 12:15 PM - edited ‎07-11-2019 12:15 PM

@lmori Has anyone got this working for a taxii client feed instead of a csv file feed?

0 Likes Likes
  • 1 accepted solution
  • 6296 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks