1 hour 37 minutes
So one of the things I mentioned on the last lesson waas that
anchors off starting and a string are very limited when it comes to real life. Attentional in security tools you took its limitations on due to the way the data comes in, you know, receiver strangers in multiple strings of data and therefore
you have not received probably what you're looking for.
So what I did for this example is, since data comes into, let's say A s I e ems and Chung's or in the O. P. Comes in chunks, right? I'm gonna I looked up for
sis locks examples and I found this little patron O S S E c
right here. They have different logs and I'm gonna pick the windows.
Lux, for now. And then we'll go over to different logs during this examples. Right?
And we have here a system log with copy paste is
into a red X
right here. So now that we have that, let me explain a little bit to you. What is this Lexus for? Does that have not experienced top of the year before?
If you look carefully here in this line, it explains you two fields.
It's gonna be the date that you can see here,
followed by the time
the week of use
let's say we want to build a rule
to capture this sport,
What do we have to do?
Well, first of all, we gotta look
how to build it.
We do have numbers all over the place, but what is right before it or right after it that we don't have anywhere else.
In this case, I peace are shown here
Now, the difference being is that this is a second time
that I p is shown. And there's no eyepiece afterwards, right?
So there's two ways to do this.
The 1st 1 was a little bit riskier, but might work Is that for this particular example due to the way the six locks are arriving,
you can literally do
No. An I p has between one and three characters, and I pee before, So we're gonna use that as an example for this, right?
And then you have four different segments are rockets.
Right? But remember, there's no down at the end. So we're gonna be leaving. They did. So you have here for hits wife or because it's two different sis locks. Injuries. Okay.
what you do is you want to isolate for this 80 here. Now, if you look carefully, always,
always after this I p
and this other
all right, it's gonna be a port while the other one
I always have
potentially a site named our user name.
So what we're gonna do is support. It's well, that's time digits while I use her name. Might be,
uh, makes me to indigents or words, right? So most likely, if your channel used for the user, you do slash W In this case, we will be doing slash d
and arranges one through five range.
And yes, I have to Google land because it's not to come and
to write 12345
And that support
now what you'd like to do also, it's make sure you
block the chances of these being detected somewhere else. You always do a slash D, much as I'm sorry for space, which since there's a space afterwards, right, And there you have it. Now what happens is this particular string captures
and we don't want them.
We want to capture on Lee the port. So we do is we actually create a capture group around this parameter, right? She's parentheses
and parentheses. Make sure you had it before
the space. Otherwise, you also captured a space of might
influence the detection order, color, correlation of tools or detections in your tools. Right?
So in here you already have. How to capture
fairly easy right
Another day is, for example, for this particular example. Let's say the user name here is 80 s. Well, or let's say 123
space. Oh, now I get detected. So what happens is
you have to be careful, and then you have to battle your options, right? So, like I said,
that was a high risk in the beginning, and it's because this might happen.
So how do we fix this?
after it is, you know, there's always a word and just not be. It doesn't always have to be get right. But you do have a word.
plus, because we don't know the range
followed by a space, right?
And let's say here
right. We do have a site namesake called Kevin that we still detect it right. And here's where you know
the magic happens.
You're you're I write,
And here's where we
break it. Sorry I broke the wrong way,
and that's how you block it.
And that's how you're more secure. If you put parameters of both before and after the capture group, you're gonna be a lot more efficient when you're going to capture content for these type of rules or this type of Pat's right?
So let's say you actually want to capture
Have you remember correctly?
We didn't have this before, So when we build its tragic, you might need to build it if it either the text or it doesn't detect that.
So, first of all, like I said,
if you recall correctly,
if we delete what's afterwards,
it would detect both of them.
You can see it's already working. I don't have to build too much before this.
one thing you have to consider is this'll. Ashton
This right now it's numbers, but it might be letters. It might be other things. So
So this is that right? No,
another thing to consider is that is
might or might not be there. So we're gonna add
dysentery. Ation. Another thing to consider is right now we're capturing this
numbers over here. Sorry.
And your accent.
We actually want to capture the ward afterwards. So removed the capture grew from there
and put it in the next word.
bone. And again, if always put something afterwards
there. And now you're actually be captured this
But, Kevin, if I'm really capturing their why is this get still being
detected? While there's different things you can do in this case,
one of the things is you can either try to hit this next word over here, or you can say, Do not detect slash this case.
Let's deal with this one first,
which would be literally slashed. Only you didn't have to put one. If it's just one character,
if you wanna detect it with symbol or not that simple right, it's a flush. W
you have to open the brackets for not toe work. Otherwise you're triggering to start.
So again, break the character
close of racket
and there we go,
not a symbol.
So it's two alternatives.
Boom will work depending on the context of this index
The OWASP Online test is a premium Cybrary assessment test created by iMocha. It is ...
Assess your Regex skills with Cydefe's capture-the-flag (CTF) style skill assessment.