RegEx Look Ahead/Look Behind当Look Behind模式不同时

zsbz8rwp  于 2023-05-08  发布在  其他
关注(0)|答案(2)|浏览(130)

首先,我很抱歉发布了这个丑陋的,长的样本,但这是我所能召集的。我在查恶意软件来源和主机的IP地址。我的模式在主机上运行得很好,但是当我试图返回源IP时,它会中断,因为在日志的look behind部分捕获的模式发生了变化。所以我被困住了。

logs = [
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12446 devicePayloadId=8F003A0D28D9 rt=2023-05-03 00:09:25 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=MIM0002012 TMCMLogDetectedHost=MIM0002012 src=172.16.4.90 TMCMLogDetectedIP=172.16.4.90 cs3Label=SLF_DomainName cs3=Acme act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=173.233.137.60 deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12447 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:58 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=192.243.61.227 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12448 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:58 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=173.233.137.36 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12449 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:59 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=192.243.59.13 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12450 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:15 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12451 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:16 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12452 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:19 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Windows\\\\System32\\\\svchost.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12453 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:19 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01"
]

主机IP位于以下部分:

代码是:

endpoint_ip_list = [re.sub('dst=','',re.search('(?<=src=).*?(?=\s+TMCMLogDetectedIP=)',log).group()) for log in logs]

输出:

['172.16.4.90', '10.10.110.69', '10.10.110.69', '10.10.110.69', '10.10.220.172', '10.10.220.172', '10.10.220.172', '10.10.220.172']

第二部分是源IP(可能的攻击源),可在本节中找到:

有时,日志会显示域而不是IP地址,具体取决于策略。所以,当我为绿色突出显示的部分运行正则表达式时,它显然会中断。

callback_ip_list = [re.sub('dst=','',re.search('(?<=dst=).*?(?=\s+deviceProcessName=)',log).group()) for log in logs]

输出:

callback_ip_list = [re.sub('dst=','',re.search('(?<=dst=).*?(?=\s+deviceProcessName=)',log).group()) for log in logs]
AttributeError: 'NoneType' object has no attribute 'group'

如果你知道一种方法来捕获IP和域在同一个表达式,这将是完美的,但我的内容与任何修复这个tbh。谢谢你的帮助!

regex

2条答案

按热度按时间
waxmsbnn

waxmsbnn1#

Try(Regex101):

import re

logs = [
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12446 devicePayloadId=8F003A0D28D9 rt=2023-05-03 00:09:25 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=MIM0002012 TMCMLogDetectedHost=MIM0002012 src=172.16.4.90 TMCMLogDetectedIP=172.16.4.90 cs3Label=SLF_DomainName cs3=Acme act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=173.233.137.60 deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12447 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:58 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=192.243.61.227 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12448 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:58 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=173.233.137.36 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12449 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:59 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=192.243.59.13 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12450 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:15 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12451 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:16 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12452 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:19 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Windows\\\\System32\\\\svchost.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12453 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:19 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01"
]

for line in logs:
    m = re.search(r'src=(\S+).*(?:dst=|cs5Label=)(\S+)', line)
    if m:
        print(f'src={m.group(1)} dst={m.group(2)}')
    else:
        print('Not found.')

图纸:

src=172.16.4.90 dst=173.233.137.60
src=10.10.110.69 dst=192.243.61.227
src=10.10.110.69 dst=173.233.137.36
src=10.10.110.69 dst=192.243.59.13
src=10.10.220.172 dst=CnCDestinationURL
src=10.10.220.172 dst=CnCDestinationURL
src=10.10.220.172 dst=CnCDestinationURL
Not found.
赞(0)分享  回复(0)举报  2023-05-08
wlzqhblo

wlzqhblo2#

deviceProcessName=之前使用替代匹配dst=cs5=

(?:(?<=dst=).*?|(?<=cs5=).*?)(?=\s+deviceProcessName=)
赞(0)分享  回复(0)举报  2023-05-08
我来回答

相关问题

    查看更多

    热门标签

    更多
    JavaquerypythonNode开发语言requestUtil数据库Table后端算法LoggerMessageElementParser

    最新问答

    更多
    • 蜀ICP备2022004421号-2 NULL123 https://www.null123.com © All rights reserved
    • 本站内容来源互联网,如果侵犯您的权益请联系我们删除, 联系方式:448109455@qq.com