Jump to content

Regex for Dynamic Group not working


Recommended Posts

I have one Dynamic Group Template with regex which is not working. Maybe anyone has an idea why.

What works (without regex):

SC1.PNG.5ed66f8542aa12cb56780f619c35048d.PNG

What doesn't works (with regex):

SC2.PNG.fc45a7910d7976635f072f9c8d56ccb8.PNG

Computers with prefix "kas-" are not part of the group (it's empty).

I also tried "^kas-|^kam-"

and also "^kas\-|^kam\-"

but nothing worked.

THX

Link to post
Share on other sites
  • ESET Staff

Unfortunately I cannot verify but I would recommend to construct regex without "^" and "$" -> even without those, whole string has to be matching regular expression, so those characters are not required. Maybe regex (kas|kam)-.* will work? Just to be sure, after each modification, it might take some time until new template is re-evaluated by clients.

Link to post
Share on other sites

Hi Martin,

thanks for you answer, however also the variant you suggested did not work.

I also tried kas-.*|kam-.* which did not work also.

Strange

Link to post
Share on other sites

I'm running out of ideas.

Is it possible that regex is broken?

I even tried kas.* which also fails.

If I replace "regex" with "has prefix" kas it works. But it is not what I need cause I have to check against two prefixes.

Cheers.

Link to post
Share on other sites
Posted (edited)
Quote

Did you wait long enough for changes in DG to replicate to clients and then back to the server?

I think so.

To get sure I did the last change yesterday evening and had a look at the results today. Group was still empty. Then I changed from "regex" to "has prefix" and 10 minutes later I saw the first computer appearing in the group.

Edited by offbyone
typos
Link to post
Share on other sites
  • ESET Staff
19 hours ago, offbyone said:

I think so.

To get sure I did the last change yesterday evening and had a look at the results today. Group was still empty. Then I changed from "regex" to "has prefix" and 10 minutes later I saw the first computer appearing in the group.

Could you please provide version and platform of ERA/ESMC Agent installed on client? Just to be sure there is not an older version which might not have regex support yet. Regardless of that, we will try to reproduce with similar configuration.

Link to post
Share on other sites
  • Administrators

Since the issue cannot be easily sorted, I would recommend opening a ticket with your local ESET support so that the issue is properly tracked and looked at by developers, if necessary.

Link to post
Share on other sites
  • ESET Staff
23 minutes ago, offbyone said:

Just for the records.

I changed "Device identifiers.Identifier type" from "Computer name" to "Computer FQDN" and now the regex works.

Thanks for letting us know.

Just out of curiosity, could you provide hint what could have been wrong? Both computer name and FQDN are accessible also from console in client details:

image.png

 

Maybe there was just wrong case sensitivity? Or completely wrong/unexpected computer name was reported for those devices?

Link to post
Share on other sites
Posted (edited)

That raises an interesting question.

Are the RegEx within ESET handled case sensitive? Sensitiveness normally is specified outside of the "expression string" with a modifier. For example in Java script you would write /(kas-|kam-).*/i where "i" the the modifier for case-insensitive.

That would explain it as the details for the computer look like follows:

 

sc.png.08b0b80791755660bf887fd95ef36fe5.png

 

 

 

Edited by offbyone
Link to post
Share on other sites

Just to mention. The operator "has prefix" is not cases sensitive, so I suspect the same for regex. So far I cannot imagine a use case for dynamic group rules where case sensitiveness makes sense.

Does ESET normalize FQDN and computer name to identical cases internally or does it use the values which are returned from OS unaltered?

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...