intelmq icon indicating copy to clipboard operation
intelmq copied to clipboard
verified publisher icon certtools

modify: check for non-existence with regex

Open ghost opened this issue 8 years ago • 1 comments

Currently it is not possible to check both for non-existence and a value with just one rule, e.g.:

        "if": {
            "classification.identifier": "^(|botnet)$"
         }

Events with a non-existent classification.identifier do not match this value, as a non-empty value in the rule is assumed as "field must exist".

ghost avatar Aug 07 '17 08:08 ghost

Workaround: Create two rules:

        "if": {
            "classification.identifier": ""
         }

and:

        "if": {
            "classification.identifier": "^botnet$"
         }

ghost avatar Aug 07 '17 08:08 ghost