2 Replies Latest reply on May 22, 2017 8:42 AM by jokamo

    Confused about policy rule string matching

    jokamo

      Hi,

       

      I've had some strange things pop up while testing out a policy rule.

      I'm searching for a string that I know is in the config I used to test, but it's still saying it isn't there. Then when I move the string to another line in the rule it suddenly does find it in the tested config.

      Also when I change the "Alert on rule below if" it changes behaviour to find the string or not. But the rule specifically states that it "must contain" that string.

       

      These are some images to clarify what I mean:

       

      Because the config file "must contain" the string, I assume the rule should be alerted on if the "String is NOT found"

      If the string is placed on top it doesn't find it, but if it's placed lower it suddenly does. The test shows this.

      SWPRConfusion01.JPG

      I changed when it should alert on the rule and now it works as I believe it should.

      SWPRConfusion02.JPG

       

      Basically I don't really understand how the part "Alert on the rule below if string is found/NOT found" works together with the "must contain/must not contain" part.

       

      Any help in clarifying this is greatly appreciated, thanks for reading.