Splunk Search

Props.conf / Regex question

flo_cognosec
Communicator

I add this to props.conf to detect shellscripts, but interesting enough this not only matches shell-scripts but also a lot of other files as well, not matching the regex.

What am I missing ?

[rule::find_shellscript]
MORE_THAN_0 = ^#!\/bin\/(bash|sh)
LEARN_MODEL=false
LEARN_SOURCETYPE=false
sourcetype=shellscript

0 Karma

flo_cognosec
Communicator

Seems like the MORE_THAN / LESS_THAN operators don't actually work as expected , was corrected in the docs already 😞

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...