Jump to content

regular expression syntax in dynamic group templates


uvtms
 Share

Go to solution Solved by MartinK,

Recommended Posts

I cannot get these to work.

 

Supposedly the perl regexp syntax is supported.

 

A very basic instance of a perl regexp is a word without any special characters which should match as substring. It does not seem to happen. So what is the format of the regular expression?

Link to comment
Share on other sites

It took a little bit of fiddling, but I've been able to get Regex working in several of our templates.  I've built most of my RegEx strings through sites like regexr.com or regex101.com, with some slight modifications to signify the beginning and the end of the strings.
 
1) Looking for clients that have some point-release of a version 5.x client installed (i.e. any 5.x version):
"Installed software.Application version" → RegEx → "^5.\d.\d{4}.\d$"

 

2) Looking for clients that do not have "Server" in the operating system name:

"OS edition.OS name" → RegEx → "^(?!.*Server).*$"
Link to comment
Share on other sites

I can just type the regexp into perl interpreter and test.

 

That does not give same result as these match rules.

 

I tried a small test perl program:

 

"Microsoft Windows 7 Professional" matches 7.
"Microsoft Windows Server 2008 R2" does not match 7.
"Microsoft Windows Server 2008 R2" matches "Server".
"Microsoft Windows Server 2008 R2" matches "Microsoft Windows Server".
"Microsoft Windows Server 2008 R2" does not match "^(?!.*Server).*\$".
"Microsoft Windows 7 Professional" matches "^(?!.*Server).*\$".
 
However, when I change my rule with "Microsoft Windows Server" from prefix to regex the server systems no longer show up in the group.
 
So yes, your example works. However, some valid regex examples do not.
Link to comment
Share on other sites

Interesting Topic :)

 

Any tips to get a Syntax for this?

I try to create dynamic Groups for "logged in User":

 

All Users exept User1+User10+User159

Link to comment
Share on other sites

  • ESET Staff
  • Solution

I cannot get these to work.

 

Supposedly the perl regexp syntax is supported.

 

A very basic instance of a perl regexp is a word without any special characters which should match as substring. It does not seem to happen. So what is the format of the regular expression?

 

Hello,

 

dynamic groups regular expressions are using perl syntax, but expression must match whole input string.

Link to comment
Share on other sites

 

I cannot get these to work.

 

Supposedly the perl regexp syntax is supported.

 

A very basic instance of a perl regexp is a word without any special characters which should match as substring. It does not seem to happen. So what is the format of the regular expression?

 

Hello,

 

dynamic groups regular expressions are using perl syntax, but expression must match whole input string.

 

So if i understand correct, regex is here no additionally filter. Ist only a other way for "contains". :(

Link to comment
Share on other sites

  • ESET Staff

 

 

I cannot get these to work.

 

Supposedly the perl regexp syntax is supported.

 

A very basic instance of a perl regexp is a word without any special characters which should match as substring. It does not seem to happen. So what is the format of the regular expression?

 

Hello,

 

dynamic groups regular expressions are using perl syntax, but expression must match whole input string.

 

So if i understand correct, regex is here no additionally filter. Ist only a other way for "contains". :(

 

 

Hello,

 

I dont think matching whole string makes any difference: you can wrap your regular expression in ".*" and it should behave identically.

Link to comment
Share on other sites

 

 

 

I cannot get these to work.

 

Supposedly the perl regexp syntax is supported.

 

A very basic instance of a perl regexp is a word without any special characters which should match as substring. It does not seem to happen. So what is the format of the regular expression?

 

Hello,

 

dynamic groups regular expressions are using perl syntax, but expression must match whole input string.

 

So if i understand correct, regex is here no additionally filter. Ist only a other way for "contains". :(

 

 

Hello,

 

I dont think matching whole string makes any difference: you can wrap your regular expression in ".*" and it should behave identically.

 

Hi,

but if i understand right, there is no chance to create a "and" syntax with regax (a and b and c and ...)?

Link to comment
Share on other sites

  • Administrators

Hi,

but if i understand right, there is no chance to create a "and" syntax with regax (a and b and c and ...)?

Let us know what you would like to accomplish, maybe we will be able to provide you with the exact regex expression.
Link to comment
Share on other sites

 

Hi,

but if i understand right, there is no chance to create a "and" syntax with regax (a and b and c and ...)?

Let us know what you would like to accomplish, maybe we will be able to provide you with the exact regex expression.

 

Hi Marco,

 

im interested for the following syntax:

 

All Users except Andreas + Christian + Michael

or

All PCs except PC_123 + NB_587 + HTPC_599

Link to comment
Share on other sites

  • 2 weeks later...
  • 2 months later...

This does not seem to work as described here and there is no description in an official manual.

 

perl test result:

 

"Microsoft Windows Server 2008 R2" does not match "^(?!.*Server).*\$".
"Microsoft Windows 7 Professional" matches "^(?!.*Server).*\$".
"Microsoft Windows Server 2008 R2" matches "^(?!.*( 7| 8 | 10| XP)).*\$".
"Microsoft Windows 7 Professional" does not match "^(?!.*( 7| 8 | 10| XP)).*\$".
 

working group:

 

  • EXPRESSION
     
     
     
  • OPERATION
    AND (All conditions have to be true)
     
     
  • RULES
    OS edition . OS name regex ^(?!.*Server).*$

 

always empty group:

 

  • EXPRESSION
     
     
     
  • OPERATION
    AND (All conditions have to be true)
     
     
  • RULES
    OS edition . OS name has mask ^(?!.*( 7| 8 | 10| XP)).*$
Link to comment
Share on other sites

  • ESET Staff

This does not seem to work as described here and there is no description in an official manual.

 

I have made some simple tests and this kind of construction seems to be working, at least in ERA 6.3. Is there a chance computer has not connected since you modified this template?

 

Would it be possible to enable debug trace.log verbosity for client that should be matching second group and post it here?:

  1. create file C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs\traceAll to temporarily enable full verbosity of trace log without configuration change
  2. restart AGENT service
  3. search trace.log for regex you used - there should be line containing regex, data that it was compared with and result.
  4. delete traceAll file

 

Also I would like to inform you, that we have added support for "not regex" condition type, which solves this problem much more elegantly. It has only one limit -> both SERVER and AGENT must be version 6.3 or newer.

Link to comment
Share on other sites

Hello,

 

I noticed that the expression is incorrectly used as mask rather than regexp. Fixing that it seems this works OK at least with simpler regexp that actually matches some computers that connect often.

 

In ERA 6.2 there is option to select NOR as the condition operator which conveniently negates the regexp if that's the only condition you wanted.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...