匹配 N 组正则表达式中的特定字母
Match specific letter from group N Regex
我有以下日志消息:
Aug 25 03:07:19 localhost.localdomainASM:unit_hostname="bigip1",management_ip_address="192.168.41.200",management_ip_address_2="N/A",http_class_name="/Common/log_to_elk_policy",web_application_name="/Common/log_to_elk_policy",policy_name="/Common/log_to_elk_policy",policy_apply_date="2020-08-10 06:50:39",violations="HTTP protocol compliance failed",support_id="5666478231990524056",request_status="blocked",response_code="0",ip_client="10.43.0.86",route_domain="0",method="GET",protocol="HTTP",query_string="name='",x_forwarded_for_header_value="N/A",sig_ids="N/A",sig_names="N/A",date_time="2020-08-25 03:07:19",severity="Eror",attack_type="Non-browser Client,HTTP Parser Attack",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="0",src_port="39348",dest_port="80",dest_ip="10.43.0.201",sub_violations="HTTP protocol compliance failed:Bad HTTP version",virus_name="N/A",violation_rating="5",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="N/A",staged_threat_campaign_names="N/A",blocking_exception_reason="N/A",captcha_result="not_received",microservice="N/A",tap_event_id="N/A",tap_vid="N/A",vs_name="/Common/adv_waf_vs",sig_cves="N/A",staged_sig_cves="N/A",uri="/random",fragment="",request="GET /random?name=' or 1 = 1' HTTP/1.1\r\n",response="Response logging disabled"
我有以下正则表达式:
request="(?<Flag1>.*?)"
我现在尝试再次匹配名称为“Flag1”的前一组中的一些文本,我尝试将其标记为 /random?name=' or 1 = 1' 作为 Flag2 的新匹配。
如何在不在目标组中插入新标志的情况下从其他匹配的组号或标志名称中匹配所需的文本,例如:
request="(?<Flag1>\w+\s+(?<Flag2>.*?)\s+HTTP.*?)"
https://regex101.com/r/EcBv7p/1
谢谢。
如果我没理解错的话,你想匹配上一组匹配的任何字符串,对吧?
在这种情况下,您可以使用 \n 或在这种情况下使用
您可以使用
request="(?<Flag1>[A-Z]+\s+(?<Flag2>\/\S+='[^']*')[^"]*)"
参见regex demo。
详情:
(?<Flag1> - Flag1 组:
[A-Z]+ - 一个或多个大写 ASCII 字母\s+ - 一个或多个空格(?<Flag2>\/\S+='[^']*') - 组标志 2:/,一个或多个 non-whitespace 个字符,=',除 ' 以外的零个或多个字符,然后一个 ' 字符 [^"]* - "
) - Flag1 组结束。
我有以下日志消息:
Aug 25 03:07:19 localhost.localdomainASM:unit_hostname="bigip1",management_ip_address="192.168.41.200",management_ip_address_2="N/A",http_class_name="/Common/log_to_elk_policy",web_application_name="/Common/log_to_elk_policy",policy_name="/Common/log_to_elk_policy",policy_apply_date="2020-08-10 06:50:39",violations="HTTP protocol compliance failed",support_id="5666478231990524056",request_status="blocked",response_code="0",ip_client="10.43.0.86",route_domain="0",method="GET",protocol="HTTP",query_string="name='",x_forwarded_for_header_value="N/A",sig_ids="N/A",sig_names="N/A",date_time="2020-08-25 03:07:19",severity="Eror",attack_type="Non-browser Client,HTTP Parser Attack",geo_location="N/A",ip_address_intelligence="N/A",username="N/A",session_id="0",src_port="39348",dest_port="80",dest_ip="10.43.0.201",sub_violations="HTTP protocol compliance failed:Bad HTTP version",virus_name="N/A",violation_rating="5",websocket_direction="N/A",websocket_message_type="N/A",device_id="N/A",staged_sig_ids="",staged_sig_names="",threat_campaign_names="N/A",staged_threat_campaign_names="N/A",blocking_exception_reason="N/A",captcha_result="not_received",microservice="N/A",tap_event_id="N/A",tap_vid="N/A",vs_name="/Common/adv_waf_vs",sig_cves="N/A",staged_sig_cves="N/A",uri="/random",fragment="",request="GET /random?name=' or 1 = 1' HTTP/1.1\r\n",response="Response logging disabled"
我有以下正则表达式:
request="(?<Flag1>.*?)"
我现在尝试再次匹配名称为“Flag1”的前一组中的一些文本,我尝试将其标记为 /random?name=' or 1 = 1' 作为 Flag2 的新匹配。
如何在不在目标组中插入新标志的情况下从其他匹配的组号或标志名称中匹配所需的文本,例如:
request="(?<Flag1>\w+\s+(?<Flag2>.*?)\s+HTTP.*?)"
https://regex101.com/r/EcBv7p/1
谢谢。
如果我没理解错的话,你想匹配上一组匹配的任何字符串,对吧?
在这种情况下,您可以使用 \n 或在这种情况下使用 来匹配您的第一个捕获组匹配的相同内容
您可以使用
request="(?<Flag1>[A-Z]+\s+(?<Flag2>\/\S+='[^']*')[^"]*)"
参见regex demo。
详情:
(?<Flag1>- Flag1 组:[A-Z]+- 一个或多个大写 ASCII 字母\s+- 一个或多个空格(?<Flag2>\/\S+='[^']*')- 组标志 2:/,一个或多个 non-whitespace 个字符,=',除'以外的零个或多个字符,然后一个'字符[^"]*-" 以外的零个或多个字符
)- Flag1 组结束。