[Lognorm] Shuffling spaces
James Lay
jlay at slave-tothe-box.net
Sat Dec 3 19:07:04 CET 2011
Hey Rainer....can you refresh my memory on the new name-value pair usage?
I'll give that a go and see what the results are...thanks so much.
James
On 12/3/11 10:50 AM, "Rainer Gerhards" <rgerhards at hq.adiscon.com> wrote:
>
>
>> -----Original Message-----
>> From: lognorm-bounces at lists.adiscon.com [mailto:lognorm-
>> bounces at lists.adiscon.com] On Behalf Of Lay, James
>> Sent: Friday, December 02, 2011 7:08 PM
>> To: lognorm at lists.adiscon.com
>> Subject: [Lognorm] Shuffling spaces
>>
>> Hey all!
>>
>> So...I get to deal with annoying variances in some log entries...example
>snips
>> below:
>>
>> pri=1 rule=2 proto=10264/tcp
>> pri=1 rule=2 proto=https
>>
>> pri=1 proto=47 src=
>>
>> The subtle spaces are interesting to deal with as I have to have, for
>>the
>first 2,
>> separate rulebase rules like:
>>
>> %-:word% %-:word% %-:word%
>> %-:word% %-:word% %-:word%
>>
>> Is there some functionality within lognorm to...I'm not sure how to
>> ask..."ignore" spaces? An example below:
>
>No, that would cause backtracking again :( ... but I could add a syntax
>"spaces" which would somewhat resolve that problem. However, this looks
>like
>something the new name-value pair syntax can do. Can't it?
>
>Rainer
>>
>>
>> Rulebase:
>>
>> prefix=
>> rule= %-:word% %-:word%
>>
>>
>> log file:
>>
>> test test
>> test test
>>
>>
>>
>> Just trying to minimize having to make many rules to match small
>>changes.
>> Thanks all!
>>
>> James
>> _______________________________________________
>> Lognorm mailing list
>> Lognorm at lists.adiscon.com
>> http://lists.adiscon.net/mailman/listinfo/lognorm
>_______________________________________________
>Lognorm mailing list
>Lognorm at lists.adiscon.com
>http://lists.adiscon.net/mailman/listinfo/lognorm
More information about the Lognorm
mailing list