Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SSIM: using wildcards in rule critera / lookup tables

Created: 10 Oct 2012 • Updated: 17 Oct 2012 | 4 comments
sg_eugene's picture
This issue has been solved. See solution.

Hi everyone,

I am trying to create a rule in SSIM 4.7.4 to trigger incidents for abnormalies such as account guessing attempts.

In my network, everyone's account is of a strict format for eg. "x0000x" where x = char, 0 = numeric digit. I know that databases such as MSSQL allows using such wildcards such as "%" and "YY".

Is SSIM capable of doing this also? It will be good as we can safely ignore login failure attempts with the same username format, but zoom in and target login failures with non-standard usernames.

Many thanks

Comments 4 CommentsJump to latest comment

sg_eugene's picture

thanks Ted, I have moved it to the correct forum. Can anyone advise?

mathell's picture

Use the matches or doesn't match operators and then specify your regex. I haven't tested it fully, but at least basic regexes appear to work.  In your case, try a doesn't match on [a-zA-z]{1,1}[\d]{4,4}[a-zA-z]{1,1}