Forum Discussion
hooleylist
May 19, 2009Cirrostratus
Hi Jackson,
A regex is going to be less efficient than a string comparison. That particular regex which matches the domain name letters with any single character between each letter won't match the first (type 1) NTLM message where the domain isn't separated by null characters. If you replace the regex check with a string comparison looking just for *testdomain*, you should be able to block the first message. The third message has the domain name letters separated by nulls.
If you really want to use a regex, you could replace it with something like this which does a case insensitive match for testdomain with or without nulls between the letters. This would match the type 1 or type 3 messages.
(?i)t\000?e\000?s\000?t\000?d\000?o\000?m\000?a\000?i\000?n
But again, a string comparison will be more efficient than a regex and you would only need to check for the type 1 message string.
Aaron