[Lognorm] Shuffling spaces
Rainer Gerhards
rgerhards at hq.adiscon.com
Sat Dec 3 18:50:50 CET 2011
> -----Original Message-----
> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
> bounces at lists.adiscon.com] On Behalf Of Lay, James
> Sent: Friday, December 02, 2011 7:08 PM
> To: lognorm at lists.adiscon.com
> Subject: [Lognorm] Shuffling spaces
>
> Hey all!
>
> So...I get to deal with annoying variances in some log entries...example
snips
> below:
>
> pri=1 rule=2 proto=10264/tcp
> pri=1 rule=2 proto=https
>
> pri=1 proto=47 src=
>
> The subtle spaces are interesting to deal with as I have to have, for the
first 2,
> separate rulebase rules like:
>
> %-:word% %-:word% %-:word%
> %-:word% %-:word% %-:word%
>
> Is there some functionality within lognorm to...I'm not sure how to
> ask..."ignore" spaces? An example below:
No, that would cause backtracking again :( ... but I could add a syntax
"spaces" which would somewhat resolve that problem. However, this looks like
something the new name-value pair syntax can do. Can't it?
Rainer
>
>
> Rulebase:
>
> prefix=
> rule= %-:word% %-:word%
>
>
> log file:
>
> test test
> test test
>
>
>
> Just trying to minimize having to make many rules to match small changes.
> Thanks all!
>
> James
> _______________________________________________
> Lognorm mailing list
> Lognorm at lists.adiscon.com
> http://lists.adiscon.net/mailman/listinfo/lognorm
More information about the Lognorm
mailing list