This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

Issue with regex pattern

Posted on 10-15-2024 08:59 PM
asinghz297
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task>


This is a text. I want to write a regex that checks if the text contains Windows and EventID 4624 or 4625.
How am I supposed to do that?
regexp : .*Windows.*<EventID>\b(4624|4625)\b</EventID>.*

my expression is not working. 


Can anyone help?

 

Solved Solved
0 3 235
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
In response to asinghz297
Reply posted on --/--/---- --:-- AM

Hi @asinghz297,

The below should work - essentially within a 're.capture'[1] (the function you're using) you can't pass a variable to the first argument. Secondly, the way you were initiating the regex pattern was incorrect, as there was no " or ", or / or / like the below. Hope this helps!

 

rule Regex_Example {
 
  meta:
    author = "Ayman C"
    description = "Regex example"


  events:
    // $event.metadata.product_event_type = "1"
    // $event.metadata.description = "4688"
    $event.metadata.event_type  = "PROCESS_LAUNCH"

    $event.target.process.command_line = $Commandline

    $capture = re.capture($event.target.process.command_line, /.*Windows.*<EventID>\b(4624|4623)\b<\/EventID>.*/)


  condition:
    $event
}

 

AymanC_0-1729077207744.png

[1] - 


Kind Regards,

Ayman C

 

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
Reply posted on --/--/---- --:-- AM

Hi @asinghz297 

This is likely as you haven't escaped the backslash in the last EventID call in brackets. Please see if the below works:

 

.*Windows.*<EventID>\b(4624|4625)\b<\/EventID>.*

 

Kind Regards,

Ayman

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
asinghz297
Bronze 3
Bronze 3
In response to AymanC
Reply posted on --/--/---- --:-- AM

$cap = re.capture($var, .*Windows.*<EventID>\b(4624|4623)\b<\/EventID>.*)

Error : 
tokenizing: regex not terminated: /EventID>.*)

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
AymanC
Silver 3
Silver 3
In response to asinghz297
Reply posted on --/--/---- --:-- AM

Hi @asinghz297,

The below should work - essentially within a 're.capture'[1] (the function you're using) you can't pass a variable to the first argument. Secondly, the way you were initiating the regex pattern was incorrect, as there was no " or ", or / or / like the below. Hope this helps!

 

rule Regex_Example {
 
  meta:
    author = "Ayman C"
    description = "Regex example"


  events:
    // $event.metadata.product_event_type = "1"
    // $event.metadata.description = "4688"
    $event.metadata.event_type  = "PROCESS_LAUNCH"

    $event.target.process.command_line = $Commandline

    $capture = re.capture($event.target.process.command_line, /.*Windows.*<EventID>\b(4624|4623)\b<\/EventID>.*/)


  condition:
    $event
}

 

AymanC_0-1729077207744.png

[1] - 


Kind Regards,

Ayman C

 

Jump to Solution
0 Likes
Top Solution Authors
View all