cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Minemeld Regex

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
bokeke
L0 Member
‎07-05-2017 11:16 AM
‎07-05-2017 11:16 AM

Minemeld Regex

I want to only use the url portion of this feed ignoring the protocol portion http://

 

https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

 

My regex is below:

 

regex: ^(http:\/\/)(.*)
transform: \2

 

This works fine outside Minemeld as python regex. However, Minemeld uses the full match which includes the protocol portion not just group 2 of the match in my aggregated feed.

Tags (2)
0 Likes
Reply

Accepted Solutions
Highlighted
lmori
L7 Applicator
‎07-07-2017 02:10 AM
‎07-07-2017 02:10 AM

Hi @bokeke,

you should do something like this (tested):

age_out:
    default: null
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: URL
ignore_regex: ^#
indicator:
    regex: ^(http[s]*:\/\/)(.*)
    transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.

View solution in original post

0 Likes
Reply

All Replies
Highlighted
lmori
L7 Applicator
‎07-07-2017 02:10 AM
‎07-07-2017 02:10 AM

Hi @bokeke,

you should do something like this (tested):

age_out:
    default: null
    sudden_death: true
attributes:
    confidence: 100
    share_level: green
    type: URL
ignore_regex: ^#
indicator:
    regex: ^(http[s]*:\/\/)(.*)
    transform: \2
interval: 300
source_name: ransomwaretracker.LY_DS_URLBL
url: https://ransomwaretracker.abuse.ch/downloads/LY_DS_URLBL.txt

Please note that if you are intersted in removing protocols from the output feed, you can also use the "v=panosurl" URL parameter to do that.

View solution in original post

0 Likes
Reply
Highlighted
bokeke
L0 Member
‎07-07-2017 09:44 AM
‎07-07-2017 09:44 AM

Thanks imori Your regex under indicator works.

0 Likes
Reply
Highlighted
Carlos_Gomes
L3 Networker
‎07-11-2019 12:15 PM
‎07-11-2019 12:15 PM

@lmori Has anyone got this working for a taxii client feed instead of a csv file feed?

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks