On Monday 13 March 2006 11:14, Kevin Carr wrote:
I have a question about how you imagine regular expression matching
to
work. For example if I want to match the "exe" field in avc messages with
at regular expression, what will be the best way given this API?
That's a good question. Right now, ausearch has 2 kinds of matching, substring
and whole string. Which match to use is governed by the -w parameter to
ausearch. The default being substring.
Does it become something like:
ausearch_set_param("exe", "regex", "/sbin(/.*)")
I think we need to add another operator to correctly represent ausearch's
capabilities:
ausearch_set_param("exe", "~", "/sbin");
For example, the above would do substring matches. Any exe field that
has /sbin, would match. So both /sbin/fdisk and /usr/sbin/nstat would match.
ausearch_set_param("exe", "=", "/sbin");
Would likely draw no matches since a directory isn't an executable.
I have stayed away from regex matching because performance will be bad.
However, I think we can throw that in at this point and just warn people that
its likely to be slow.
I'll update the spec to include a section about operators & matching and
repost it to this thread.
-Steve