AnsweredAssumed Answered

regex on Netwitness 9.8

Question asked by Cris Rhea on Mar 29, 2016
Latest reply on Apr 13, 2016 by Cris Rhea

Running Investigator 9.8.5.19.  Trying (unsuccessfully) to use a regex expression to look for specific HTTP Cookie patterns.

 

As a simple test, I've tried this custom drill  (after narrowing results to HTTP and specific alerts):

 

req.uniq regex 'C5=;'

 

(Single quotes surrounding expression, and literally looking for the 4 character string).  This runs successfully, but returns no results. If I look at the sessions, there clearly are sessions with this string in req.uniq.

 

What's magic about trying to get regex working?  Will they work properly on a meta data item that may exist multiple times in session?

My end goal is a more complex regex, but if I can't get a simple match to work, more complicated certainly won't...

Thanks--

Outcomes