2 Replies Latest reply on Apr 4, 2018 9:01 PM by ebradford

    Negate multiple phrases in ncm compliance

    mmercaldieze

      I am trying to negate multiple phrases for a ncm compliance script but I cannot figure this out

       

      I can do:

      set device-group [^Spectrum].*

      and

      set device-group [^"Spect ONE"].*

       

      that will work to negate each one indiviually

      However when I do
      set device-group [^Spectrum |^Spect ONE"].*More that the 2 phrases above gets negated for some reason

       

      How do I negate multiple phrases and works on ncm compliance?

       

      Thanks

        • Re: Negate multiple phrases in ncm compliance
          ebradford

          Let's make sure I am understanding what you are trying to identify in the regular expression. You want to identify all instances which do NOT have the text Spectrum or "Spect ONE", followed by zero or more ANY characters (could be a space, underscore, number, letter, symbol) until the end of the line. Is that right?

           

          The way I understand Caret in Brackets is that it means match a character which does not match any of the characters in the brackets. So, [^Sprectrum] is the same as [^cemprtuS] which would match with any number, and these letters: abdfghijklnoqrsvwxzyABCDEFGHIJKLMNOPQRTUVWXYZ, and any symbol. So, the any line which has a c or a t (etc) in it would ignore from there to the end of the line.

           

          If the program you are using allows for the use of ! as a logical NOT operator (such as in SQL), then wouldn't it be better to use the following?
          !(Spectrum|Spect ONE).*

          That should match all strings characters that begin with Spectrum or Spect ONE at any place in the line, and then continue to match until the end of the line -- and then promptly NOT match that match, but match everything else.

            • Re: Negate multiple phrases in ncm compliance
              ebradford

              It dawns on me that there is another thing going on with [^Spectrum|^Spect ONE].*

              Since the combined regular expression will look for a character that will satisfy either expression, then it is essentially the same as [^Spect].

               

              If the character being evaluated is an x then the letter satisfies both [^Spectrum] and [^Spect ONE] because neither expression has x in it, so it is accepted.

               

              If the character being evaluated is an m, then the first expression is not satisfied since m is in [^Spectrum]; but does satisfy the second expression since m is not in [^Spect ONE], so it is accepted. Remember, the pipe | means accept satisfying either expression, so since one expression is satisfied, then accept it. [I think this is not what you want though.]

               

              Likewise, if the character being evaluated is a E then it satisfies the first expression, but not the second, but since it satisfies one of the expressions, then accept it. [Again, probably not what you want.]

               

              Only the characters S p e c t will satisfy neither expression, and hence wont be accepted by either expression.

               

              If you are trying to match on not in 1st collection of letters and not in 2nd collection of letters, then using the collections of letters you used above, all instances of NOT [Spectrum] AND NOT [Spect ONE]. In that case, you would want to use an angstrom (&).

               

              [^Spectrum&^Spect ONE].*                  --Remember, & is the angstrom

               

              If you had [^X|^Y] it would satisfy everything, because even the X and Y would satisfy one of the 2 expressions, and certainly everything else would satisfy both expressions. But if you want to satisfy [^X] AND [^Y] at the same time, the use [^X&^Y]  (using the angstrom). X would not satisfy ^X but would not satisfy ^Y and BOTH must be satisfied in order to accept the expression, the X is rejected. Y would not be accepted either, but any other letter would be accepted.

               

              I think that is the operation you want to use, but for strings, not for individual characters. I think, from the formatting you used, you want to match on negated strings, not negated collection of letters. My understanding of brackets is that it is used to match letters, not strings.

               

              ----

              Oh, the previous post, I suggested !(Spectrum|Spect ONE).* -- but that won't work if using a cisco config since ! is a comment character.

              ----

               

              But, I'm not sure what you mean by "I can do". You can do what? You are using NCM compliance. But I'm unsure if you are writing a remediation script or trying to match a rule. I'm going to assume you are wanting to match on a rule. You want your configs to have one or both of the lines in the config. You don't want any other lines with set device-group in your configs. So to get there, if one or both of the lines is there (and not others) then ignore the config, but if the lines are missing or if they are present with other set device-group lines, then you want to flag that config. Is that what you want?

              set device-group Spectrum.*

              set device-group Spect ONE.*

               

              If I wanted to know of any configs that either didn't have any set device-group lines, or had set device-group other than with Sprctrum or Spect ONE, I would set up the rule as follows:

               

              Alert on rule below if string IS found:
                  (  must not contain Reg-Ex set device-group                                                                                                    )
              
              OR  (  must     contain RegEx set device-group (Spectrum|Spect ONE).*\n(.*\n)*.*set device-group (Spectrum|Spect ONE).*\n(.*\n)*.*set device-group
              OR     must     contain RegEx set device-group (Spectrum|Spect ONE).*\n(.*\n)*.*set device-group.*\n(.*\n)*.*set device-group (Spectrum|Spect ONE) 
              OR     must     contain RegEx set device-group.*\n(.*\n)*.*set device-group (Spectrum|Spect ONE).*\n(.*\n)*.*set device-group (Spectrum|Spect ONE) )
              
              OR  (  must     contain RegEx set device-group
              AND    must not contain RegEx set device-group (Spectrum|Spect ONE)                                                                                )
              
              OR  (( must     contain RegEx set device-group (Spectrum|Spect ONE).*\n(.*\n)*.*set device-group
              OR     must     contain RegEx set device-group.*\n(.*\n)*.*set device-group (Spectrum|Spect ONE)                                                   )
              AND    must not contain RegEx set device-group (Spectrum|Spect ONE).*\n(.*\n)*.*set device-group (Spectrum|Spect ONE)                              )

               

              Line 2 alerts if there is no set device-group.

               

              Lines 4-6 alert if there is a device-group line in addition to both lines for Spectrum and Spect ONE

               

              Lines 8-9 alert if there is a device-group line but there is no device-group line for Spectrum/Spect ONE

               

              Lines 11-13 alert if there is a Spectrum/Spect One device-group line plus one other device-group line, but not if both lines are Spectrum/SpectOne lines.

               

              Evaluate each of the 4 sets of conditions to satisfy yourself that in that case you would want to be alerted. The ORs at lines 4, 8 and 11 means that if any one of those 4 conditions exist, then alert on the rule.