Home > Back-end >  Match specific letter from group N Regex
Match specific letter from group N Regex

Time:05-21

I have the following log message:

Aug 25 03:07:19 localhost.localdomainASM:unit_hostname="bigip1",management_ip_address="192.168.41.200",management_ip_address_2="N/A",http_class_name="/Common/log_to_elk_policy",web_application_name="/Common/log_to_elk_policy",policy_name="/Common/log_to_elk_policy",policy_apply_date="2020-08-10 06:50:39",violations="HTTP protocol compliance failed",support_id="5666478231990524056",request_status="blocked",response_code="0",ip_client="10.43.0.86",route_domain="0",method="GET",protocol="HTTP",query_string="name='",x_forwarded_for_header_value="N/A",sig_ids="N/A",sig_names="N/A",date_time="2020-08-25 03:07:19",severity="Eror",attack_type="Non-browser Client,HTTP Parser Attack",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="0",src_port="39348",dest_port="80",dest_ip="10.43.0.201",sub_violations="HTTP protocol compliance failed:Bad HTTP version",virus_name="N/A",violation_rating="5",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="N/A",staged_threat_campaign_names="N/A",blocking_exception_reason="N/A",captcha_result="not_received",microservice="N/A",tap_event_id="N/A",tap_vid="N/A",vs_name="/Common/adv_waf_vs",sig_cves="N/A",staged_sig_cves="N/A",uri="/random",fragment="",request="GET /random?name=' or 1 = 1' HTTP/1.1\r\n",response="Response logging disabled"

And I have the following RegEx:

request="(?<Flag1>.*?)"

I trying now to match some text again from the previous group under name "Flag1", the new match that I'm trying to flag it is /random?name=' or 1 = 1' as Flag2.

How can I match the needed text from other matched group number or flag name without insert the new flag inside the targeted group like:

request="(?<Flag1>\w \s (?<Flag2>.*?)\s HTTP.*?)"

https://regex101.com/r/EcBv7p/1

Thanks.

CodePudding user response:

You can use

request="(?<Flag1>[A-Z] \s (?<Flag2>\/\S ='[^']*')[^"]*)"

See the regex demo.

Details:

  • (?<Flag1> - Flag1 group:
    • [A-Z] - one or more uppercase ASCII letters
    • \s - one or more whitespaces
    • (?<Flag2>\/\S ='[^']*') - Group Flag2: /, one or more non-whitespace chars, =', zero or more chars other than ', and then a ' char
    • [^"]* - zero or more chars other than "
  • ) - end of Flag1 group.

CodePudding user response:

If I understand you correctly, you want to match whatever string a previous group has matches, right? In that case you can use \n or in this case \1 to match the same thing that your first capture group matched

Page link:https//www.codepudding.com/Backend/414104.html

Prev:Regex match words without alphabet
Next:Regex for extracting every character except numbers and specific words at the end of string
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding