NOTE: This article is aimed for SIQ (FAM) version 8.1 and below.
This document has some sample regular expression that can be used to exclude SMB shares from the crawling process. Use these expressions on the crawler configuration screen of the SMB application.
The regular expressions and the results are based on the SMB server below. They were developed using SecurityIQ 5.0 crawling a Windows server, but the same expressions will work on other SMB servers. Be sure to read the notes for tips.
Server name (as configured in the SecurityIQ application): SVR1
Shares:
- C$
- DEPT$
- E$
- ExcludeShare
- TestShare
Use these regular expression when you want to exclude certain shares from the crawling process.
| Regular Expression | All shares are crawled except these | Notes |
|---|---|---|
| \\\\SVR1\\ExcludeShare(|\\.) | ExcludeShare | |
| \\\\SVR1\\C(|\\.) | C$ | This is a basic and effective exclusion for Windows. |
| \\\\SVR1\\(C|ExcludeShare)(|\\.) | C$ and ExcludeShare | Add an additional pipe and share name to this expression to exclude more shares. |
Double Negative
These regular expression say do not crawl the things that do not match the items we want to scan! In other words they mean exclude everything that does not match. This is accomplished by wrapping the expression in ^(?!sometext).
| Regular Expression | All shares are excluded except these shares | Notes |
|---|---|---|
| ^(?!\\\\SVR1\\E(|\\.)). | E$, ExcludeShare | Notice both shares that start with 'E' are crawled |
| ^(?!\\\\SVR1\\E\$(|\\.)). | E$ | 'ExcludeShare' is no longer crawled |
| ^(?!\\\\svr1\\E\$(|\\.)). | Nothing was crawled, the lowercase server siq1 did not match the server name entered in the SecurityIQ application configuration. | Notice the case sensitive nature |
| ^(?!\\\\SVR1\\e\$(|\\.)). | Nothing was crawled, the lowercase 'e' did not match 'E$' | Notice that the path is case sensitive |
| ^(?!\\\\SVR1\\DEPT(|\\.)). | DEPT | Limit to a single share. |
| ^(?!\\\\SVR1\\(DEPT|TestShare)(|\\.)). | DEPT$, TestShare | Add an additional pipe and share name to this expression to add more shares. |
