AnsweredAssumed Answered

regex on Netwitness 9.8

Question asked by Cris Rhea on Mar 29, 2016
Latest reply on Apr 13, 2016 by Cris Rhea

Running Investigator  Trying (unsuccessfully) to use a regex expression to look for specific HTTP Cookie patterns.


As a simple test, I've tried this custom drill  (after narrowing results to HTTP and specific alerts):


req.uniq regex 'C5=;'


(Single quotes surrounding expression, and literally looking for the 4 character string).  This runs successfully, but returns no results. If I look at the sessions, there clearly are sessions with this string in req.uniq.


What's magic about trying to get regex working?  Will they work properly on a meta data item that may exist multiple times in session?

My end goal is a more complex regex, but if I can't get a simple match to work, more complicated certainly won't...