13 | | * 正規表示法 Rules: |
14 | | |
15 | | 規則: |
16 | | |
17 | | || [^w] || 不要有w的字串 || |
18 | | || ^word || 待搜尋的字串(word)在行首 || |
19 | | || word$ || 待搜尋的字串(word)在行尾 || |
20 | | || . || 代表『任意一個』字符,一定是一個任意字符 || |
21 | | || \ || 跳脫字符,將特殊符號的特殊意義去除 || |
22 | | || * || 重複零個或多個的前一個 RE 字符 || |
23 | | || {n,m} || 連續 n 到 m 個的『前一個 RE 字符』|| |
24 | | || [] || 字元集合的 RE 特殊字符的符號 || |
25 | | || + || 重複『一個或一個以上』的前一個 RE 字符 || |
26 | | || ? ||『零個或一個』的前一個 RE 字符 || |
27 | | || | || 用或( or )的方式找出數個字串 || |
28 | | || ( ) || 找出『群組』字串 || |
29 | | |
30 | | 範例: |
31 | | |
32 | | {{{ |
33 | | 找tast 或 test: t[ae]st |
34 | | 不想要 oo 前面有 g: [^g]oo |
35 | | oo 前面不想要有小寫字元: [^a-z]oo |
36 | | 取得有數字的那一行 : [0-9] |
37 | | 只列出在行首的 the : ^the |
38 | | 不想要開頭是英文字母:^[^a-zA-Z] |
39 | | 行尾結束為小數點 (.) 的那一行 : \.$ |
40 | | 該行並沒有輸入任何資料:^$ |
41 | | 任意一個字元 .,如找good,gxxd,... :g..d |
42 | | 重複字元 * ,如找o,oo,oo...o:oo* |
43 | | 找出 g 開頭與 g 結尾的字串:g.*g |
44 | | 找出 g 後面接 2 到 5 個 o ,然後再接一個 g 的字串:go{2,5}g |
45 | | }}} |
46 | | |
47 | | --------- |
48 | | |
49 | | * Snort Log 範例 : |
50 | | {{{ |
51 | | [**] [1:2189:3] BAD-TRAFFIC IP Proto 103 PIM [**] [[br]] |
52 | | [Classification: Detection of a non-standard protocol or event] [Priority: 2] [[br]] |
53 | | 07/08-14:58:56.295033 140.110.138.253 -> 224.0.0.13 [[br]] |
54 | | PIM TTL:1 TOS:0xC0 ID:11423 IpLen:20 DgmLen:54 [[br]] |
55 | | [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0567][Xref => http://www.securityfocus.com/bid/8211] [[br]] |
56 | | }}} |
57 | | * 開發工具 : [http://www.waterproof.fr/products/RegExpEditor/ Regular Expression Editor] |
58 | | ----------- |
59 | | |
60 | | * [**] [1:2189:3] BAD-TRAFFIC IP Proto 103 PIM [**] |
61 | | |
62 | | 正規表示式: |
63 | | |
64 | | {{{ |
65 | | ^\[\**\] \[([1-9]*):([1-9]*):([1-9]*)\] ([^[]*) |
66 | | }}} |
67 | | |
68 | | 結果: |
69 | | |
70 | | || 1 || [**] [1:2189:3] BAD-TRAFFIC IP Proto 103 PIM || |
71 | | || 2 || 1 || |
72 | | || 3 || 2189 || |
73 | | || 4 || 3 || |
74 | | || 5 || BAD-TRAFFIC IP Proto 103 PIM || |
75 | | |
76 | | * [Classification: Detection of a non-standard protocol or event] [Priority: 2] |
77 | | |
78 | | 正規表示式: |
79 | | |
80 | | {{{ |
81 | | ^\[Classification: ([^]]*)\] \[Priority: ([1-9]*)\] |
82 | | }}} |
83 | | |
84 | | 結果: |
85 | | |
86 | | || 1 || [Classification: Detection of a non-standard protocol or event] [Priority: 2] || |
87 | | || 2 || Detection of a non-standard protocol or event || |
88 | | || 3 || 2 || |
89 | | |
90 | | * 07/08-14:58:56.295033 140.110.138.253 -> 224.0.0.13 |
91 | | |
92 | | 正規表示式: |
93 | | |
94 | | {{{ |
95 | | (^[0-9]*)\/([0-9]*)\-([0-9]*)\:([0-9]*)\:([0-9]*)\.[0-9]* ([^ ]*) -> ([^$]*) |
96 | | }}} |
97 | | |
98 | | 結果: |
99 | | |
100 | | || 1 || 07/08-14:58:56.295033 140.110.138.253 -> 224.0.0.13 || |
101 | | || 2 || 07 || |
102 | | || 3 || 08 || |
103 | | || 4 || 14 || |
104 | | || 5 || 57 || |
105 | | || 6 || 56 || |
106 | | || 7 || 140.110.138.253 || |
107 | | || 8 || 224.0.0.13 || |
108 | | |
109 | | * PIM TTL:1 TOS:0xC0 ID:11423 IpLen:20 DgmLen:54 |
110 | | |
111 | | 正規表示式: |
112 | | |
113 | | {{{ |
114 | | ([^ ]*) TTL:([^ ]*) TOS:([^ ]*) ID:([^ ]*) IpLen:([^ ]*) DgmLen:([^ ]*) |
115 | | }}} |
116 | | |
117 | | 結果: |
118 | | |
119 | | || 1 || PIM TTL:1 TOS:0xC0 ID:11423 IpLen:20 DgmLen:54 || |
120 | | || 2 || PIM || |
121 | | || 3 || 1 || |
122 | | || 4 || 0xC0 || |
123 | | || 5 || 11078 || |
124 | | || 6 || 20 || |
125 | | || 7 || 54 || |
126 | | |
127 | | |
128 | | * [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0567][Xref => http://www.securityfocus.com/bid/8211] |
129 | | |
130 | | 正規表示式: |
131 | | |
132 | | {{{ |
133 | | \[Xref => ([^]]*)\] |
134 | | }}} |
135 | | |
136 | | 注意:只能找出第一個 [Xref => 的連結 |
137 | | |
138 | | 結果: |
139 | | |
140 | | || 1 || [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0567] || |
141 | | || 2 || http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0567 || |
| 12 | [wiki:RegularExp] |