Thank you for the responses. I believe Robert and Martin are correct, this is at very least misbehavior. Zoltán, you're correct, that pattern does work. But lets look at a different example. This message -- Dropping TCP packet from outside:192.168.25.36/10001 to inside:10.0.25.56/22383, reason: MSS exceeded, MSS 1380, data 1400 -- only matches the pattern -- Dropping TCP packet from @ESTRING:::@@IPv4@/@NUMBER@ to @ESTRING:::@@IPv4@/@NUMBER@, reason: MSS exceeded, MSS @NUMBER@, data @NUMBER@ -- when the one of the @ESTRING:::@@IPv4@ blocks are changed to @STRING@:@IPv4@. If not a bug, why? On Wed, Apr 14, 2010 at 1:28 AM, Zoltán Pallagi <pzolee@balabit.hu> wrote:
Hi,
You don't need to escape it, it will work as you want to use (": "). The pattern that I am using: <pattern>@NUMBER:seqno@: @ESTRING:CISCO.DATE:: @@ANYSTRING:arg2@</pattern>