I am trying to write YARA rules to match simple IP Addresses (eg: 127.0.0.1 or 192.168.1.1). I understand that I can do it using Regular Expressions based on this open-source Github example.
However, YARA performance guidelines recommends us to avoid Regular Expressions whenever possible and use Hexadecimal Jumps/Wildcard matching instead, as stated in this Github Readme. I am using it on a large number of examples so I was keeping performance in mind.
I was wondering, does YARA need to get the IP in a hex format, or can I directly match it in the normal IP format (x.x.x.x)?
I was trying something like:
rule url_localhost
{
strings:
$hex_test = { [1-3] 2E [1-3] 2E [1-3] 2E [1-3] ?? ?? }
condition:
any of them
}
My logic was something like 3 numbers to start, then a dot (2E in ASCII), and repeating the same, and having wildcards in the end for a potential 'path' in the IP address (eg: 127.0.0.1/p)
It does not seem to directly work. Is this kind of use-case possible, or is Regex the only way to approach this?
I am not sure why, but it seems you cannot start or end your hex string with a jump ([]).
I got this to work:
rule url_localhost{
strings:
$hex_test = { ?? [0-2] 2E [1-3] 2E [1-3] 2E }
condition:
$hex_test
}
However, I still get a warning that the rule is slowing down the scan.
I have not done any testing of this method vs. regex, but I would think they are doing pretty much the same under the hood.
Related
I need to extract the first element ("adidas-originals") after "designer" in the following URL using regular expressions.
xxx/en-ca/men/designers/adidas-originals/shorts
This needs to be done in Google Big Query API (standard SQL). To this end, I have tried several ways to get the desired valued without any success. Below is the best solution that I have found so far which obviously is not the right one as it returns "/adidas-originals/shorts".
REGEXP_EXTRACT(hits.page.pagePath, r'designers([^\n]*)')
Thanks!
The [^\n]* matches 0 or more chars other than a newline, LF, so no wonder it matches too much.
You need a pattern to match up to the next /, so you may use
designers/([^/]+)
Or a more precise:
(?:^|/)designers/([^/]+)
See the regex demo
Details
(?:^|/) - either start of a string or / (you may just use / if designers is always preceded with /)
designers/ a designers/ substring
([^/]+) - Capturing group 1 (just what will be returned with the REGEXP_EXTRACT function): one or more chars other than /.
May the encryption string provided by PBEWithMD5AndDES and then Base64 encoded contain the CR and or LF characters?
Base64 is only printable characters. However when it's used as a MIME type for email it's split into lines which are separated by CR-LF.
PBEWithMD5AndDES returns binary data. PBE encryption is defined within the PKCS#5 standard, and this standard does not have a dedicated base 64 encoding scheme. So the question becomes for which system you need to Base 64 encode the binary data. Wikipedia has a nice section within the Base 64 article that explains the various forms.
You may encounter a PBE implementation that returns a Base 64, and the implementation does not mention which of the above schemes is used. In that case you need to somehow figure out which scheme is used. I would suggest searching for it, asking the community, looking at the source or if all fails, creating a set of tests on the output.
Fortunately you are pretty safe if you are decoding base 64 and you are ignoring all the white space. Note that some implementations are disregarding padding, so add it before decoding, if applicable.
If you perform the encoding base 64 yourself, I would strongly suggest to not output any whitespace, use only the default alphabet (with '+' and '/' signs) and always perform padding when required. After that you can always split the result and replace any non-standard character (especially the '+' and '/' signs of course), or remove the padding.
I was using java with Andorid SDK. I found that the command:
String s = Base64.encodeToString(enc, Base64.DEFAULT);
did line wrapping. It put LF chars into the output string.
I found that:
String s = Base64.encodeToString(enc, Base64.NO_WRAP);
did not put the LF characters into the output string.
I am looking to have a regular expression that allows only specific numbers to be entered, e.g. 2,4,5,6,10,18
I tried something like
"'2'|'4'|'5'|'6'|'10'|'18'"
and anything that i typed failed the regex and then the computer pointed its finger at me and laughed.
where am i going wrong?
The single quotes are unnecessary. The regex you are looking for is: ^(2|4|5|6|10|18)$.
The symbols ^ and $ denote the start and the end of the line, to prevent 121 from matching (since it contains 2).
I am trying to write a regular expression for ASP.NET MapPageRoute that matches a specific type of path.
I do not want to match anything with a file extension so I used this regex ^[^.]*$ which worked fine except it also picked up if the default document was requested. I do not want it to pick up the default document so I have been trying to change it to require at least one character. I tried adding .{1,} or .+ to the beginning of the working regex but it stopped working alltogether.
routes.MapPageRoute("content", "{*contentpath}", "~/Content.aspx", true, new RouteValueDictionary { }, new RouteValueDictionary { { "contentpath", #"^[^.]*$" } });
How can I change my regex to accomplish this?
Unfortunately my brain does not seem capable of learning regular expressions properly.
You want to change your * quantifier to +. * matches zero or more times, whereas + matches one or more. So, what you are asking for is this:
^[^.]+$
The regex is accomplishing this: "At the beginning of the string, match all characters that are not ., at least one time, up to the end of the string."
^[^.]+$
zero is to * as one is to +
I am looking for a Regular expression to match only if a date is in the first 28 days of the month. This is for my validator control in ASP.NET
Don't do this with Regex. Dates are formatted differently in different countries. Use the DateTime.TryParse routine instead:
DateTime parsedDate;
if ( DateTime.TryParse( dateString, out parsedDate) && parsedDate.Day <= 28 )
{
// logic goes here.
}
Regex is nearly the golden hammer of input validation, but in this instance, it's the wrong choice.
I don't think this is a task very well-suited for a regexp.
I'd try and use the library functions (DateTime.Parse for .NET) to parse the date and then check the day component of it. Everything else is duplicating half the library function anyways.
Why not just covert it to a date data type and check the day? Using a regular expression, while it could be done, just makes it overly complicated.
([1-9]|1\d|2[0-8]) // matches 1 to 28 but woudn't allow leading zeros for single digits
(0?[1-9]|1\d|2[0-8]) // matches 1 to 28 and would allow 01, 02,... 09
(where \d matches any digit, use [0-9] if your regex engine doesn't support it.)
See also the question What is the regex pattern for datetime (2008-09-01 12:35:45 ) ?
I would use one of the DateTime.TryParse techniques in conjunction with a CustomValidator