Docs: Syntax of rules in Reporter config is not documented

[vaclavbartos]

I can't find any documentation of rules syntax in reporter configuration. The corresponding documentation section only states it is as "supported by Mentat filter (MFilter)" - which is wrong (the library is called pynspect) and there is no link.

Please, at least fix the name and add a link to pynspect documentation.

The other issue is that pynspect itself is not well documented, but you can't fix that.

Btw: The original issue I stumbled upon is a wierd behavior of IP address matching. When I want to match Source.IP4 to a single IP address, this doesn't work:
Source.IP4 == "1.2.3.4"
If I write it this way, it suddenly works:
Source.IP4 in [ "1.2.3.4" ]

I know you probably can't fix that, but maybe it can be mentioned in the documentation as a known bug (or just unintuitive behaviour)?

[cejkato2]

This should be improved by Rajmund Hruska (@hruskraj) in his thesis regarding new version of pynspect...

[hruskraj]

pynspect will be replaced with a new library - ransack. This new library will (hopefully) be documented well enough. The documentation (still in progress) is currently available on gitlab-pages: https://ransack-125e0a.gitlab-pages.cesnet.cz/

Regarding the original issue you stumbled upon... well, it's weird. First of all, Source.IP4 is a list of IP addresses and you are comparing it to a single IP address. In pynspect, it should not be a problem as == operator compares using all elements of a list. Indeed, when I try the rule Source.IP4 == "1.2.3.4" on an event containing that IP address, I get a match.

Btw, in ransack the == operator is defined as 'strict equality'. So Source.IP4 == 1.2.3.4 or [1.2.3.4] == 1.2.3.4 will be evaluated to False, provided that Source.IP4 exists and is a list of values.