I'm trying to calculate a potential risk score from the number of concurrent consonants in a domain name. (e.g. egorklwqyrjvbsxvhvcws.com is rarely a domain that people intentionally browse... 🙂
So I'm psudo-coding for Splunk in my mind, and I'm envisioning a mess of PCRE regex for assessment criterion that's going to thrash our forwarders and indexers.
Is there a better way to implement the following structure?:
Set (Consonant_Risk_value) = 0%
IF Rex(domain_name)/([bcdfghjklmnpqrstvwxyz]{5})/i OR Rex(domain_name)/([bcdfghjklmnpqrstvwxyz]{6})/I
THEN set (Consonant_Risk_value) = 40%
ELSE
IF Rex(domain_name)/([bcdfghjklmnpqrstvwxyz]{7})/i OR Rex(domain_name)/([bcdfghjklmnpqrstvwxyz]{8})/I
THEN set (Consonant_Risk_value) = 60%
ELSE
IF Rex(domain_name)/([bcdfghjklmnpqrstvwxyz]{>8})/i
THEN set (Consonant_Risk_value) = 80%
... View more