Mailreport filter syntax
-
Hello,
Hopefully this is an easy question.
Trying to send system logs to myself, but don't want any snort or barnyard lines included.
!snort|!barnyard does not seems to work. Is there any docs for the syntax? Does is use standard reg expressions?
-
Does anyone know where we can find some doc/examples on how to use the filter syntax of mailreport ?
I would like to filter just the event containing the at tleast of the following : snort[ *]: [
- = any char(s)
e.g. :
This one should match :
snort[93606]: [3:19187:7] PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt [Classification: Attempted User Privilege Gain] [Priority: 1] {UDP} 199.19.53.1:53 -> 192.168.22.3:31544This one should not match:
php-fpm[37106]: /snort/snort_interfaces.php: [Snort] Snort START for BRIDGE(bridge0)… -
It's the same syntax that would be used by grep at the command line, so be sure to escape or otherwise use things exactly as if it was used there as well.
-
I am not good with grep command… i will try to dig this further with my friend google
-
This site is useful for testing regex patterns: https://www.debuggex.com/