Hi,
I have defined a Automatic Lookup to a CSV File with several values per line.
I would create automatic wildcard lookups against more than one field in the csv. Is this possible?
I have tried the following but not successful:
props.conf
[squid]
LOOKUP-MandiantAPT = MandiantAPT domain AS uri_host OUTPUTNEW
LOOKUP-MandiantAPT = MandiantAPT filename AS uri_path OUTPUTNEW
transforms.conf
[MandiantAPT]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(domain)
match_type = WILDCARD(filename)
mandiant-apt.csv
domain,description,isbad,md5,filename,filesize,stringlist
"*advanbusiness.com*","Mandiant APT",true,"*001dd76872d80801692ff942308c64e6*","*121.exe*","*10233*","*!@#%$^#@!*"
"*aoldaily.com*","Mandiant APT",true,"*002325a0a67fded0381b5648d7fe9b8e*","*162.exe*","*10240*","*@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@*"
Has anyone an idea? Thank you in advance for your help.
Regards,
Patrik
You should just set up two different lookups (pointing to the same file)
[squid]
LOOKUP-MandiantAPTd = MandiantAPTd domain AS uri_host OUTPUTNEW
LOOKUP-MandiantAPTf = MandiantAPTf filename AS uri_path OUTPUTNEW
[MandiantAPTd]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(domain)
[MandiantAPTf]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(filename)
You should just set up two different lookups (pointing to the same file)
[squid]
LOOKUP-MandiantAPTd = MandiantAPTd domain AS uri_host OUTPUTNEW
LOOKUP-MandiantAPTf = MandiantAPTf filename AS uri_path OUTPUTNEW
[MandiantAPTd]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(domain)
[MandiantAPTf]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(filename)
Works perfect!
Thank you for your help. Patrik
Can also be done in the same lookup definition as..
example:
[MandiantAPT]
filename = mandiant-apt.csv
case_sensitive_match=false
match_type = WILDCARD(domain),WILDCARD(filename)