AnsweredAssumed Answered

Up a creek without some Regex!

Question asked by NTRSPhil on Jan 14, 2014
Latest reply on Jan 14, 2014 by RSA Admin


OK so here  my problem.  I have some rules that I have created that are matching against certain criteria.  Below is an example of such a rule.

 

service = 80 && alert = 'web_susp_act' && (risk.info != 'http direct to ip request','direct to ip http request' && risk.suspicious != 'http direct to ip request','direct to ip http request')

 

I want this rule to ignore anything from my internal domain so 'NTRS.com'

 

I tried adding the following to the end of this rule:

...http request' && alias.host !ends NTRS.com)

...http request' && alias.host !contains NTRS.com)

...http request' && alias.host regex (.+(?<!ntrs)\.com))

 

Can you tell me how I can accomplish this task?

Outcomes