Jump to content

Regex Help


Recommended Posts

Hi,

I am trying to parse a log file and wanted to extract just the ip address after "Callback address:" but I can't seem to get the expression correct

Here is the test string, the info I'd like to get is highlighted in bold.

"Some other text Callback address: 11.22.33.44 C&C risk level: blah blah blah"

Thanks in advance!

Edited by antmar904
Link to comment
Share on other sites

  • Moderators

@antmar904 One of our RegEx gurus will probably wander by soon to make this better, but this should give you a place to start:

$sString = "Some other text Callback address: 11.22.33.44 C&C risk level: blah blah blah"
$sNewString = StringRegExpReplace($sString, "[^0-9.]+", "")
    ConsoleWrite($sNewString & @CRLF)

 

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

1 minute ago, JLogan3o13 said:

@antmar904 One of our RegEx gurus will probably wander by soon to make this better, but this should give you a place to start:

$sString = "Some other text Callback address: 11.22.33.44 C&C risk level: blah blah blah"
$sNewString = StringRegExpReplace($sString, "[^0-9.]+", "")
    ConsoleWrite($sNewString & @CRLF)

 

Hi @JLogan3o13

The log file just changed and should be the same moving forward.  

Here is all the contents of the log file and the data that I would like to capture is highlighted in bold.  Basically the ip address listed after "Callback address:

Thanks again!  RegEx is not my thing.

String:

C&C callback detected Compromised Host: COMPUTER1 IP Address: 122.111.222.33 Domain: Company\Workstations\ Date/Time: 1/22/2018 7:26:30 Callback address: 11.22.33.444 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked

Link to comment
Share on other sites

  • Moderators

Yes, that syntax would have been nice to know in the first place. You'll have to wait for someone more familiar with regex to wander by.

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Link to comment
Share on other sites

Hello.

$OrgString="Callback address: 11.22.33.222 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked"
$RegEx="(^.+?)(\b(?:\d{1,3}\.){3}\d{1,3}\b)(.+$)"
$RegExRepl="$2" ; $1 is the string before, $3 the string behind your IP address

$IPOnly=StringRegExpReplace($OrgString,$RegEx,$RegExRepl)

MsgBox(0,"Replace Result",$IPOnly)

 

As your LOG file will only hold valid IP addresses, it's obviously not necessary, to check for valid IP addresses (numbers < 1..254 vs. 0..255)

 

regards, Rudi.

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Link to comment
Share on other sites

14 minutes ago, rudi said:

Hello.

$OrgString="Callback address: 11.22.33.222 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked"
$RegEx="(^.+?)(\b(?:\d{1,3}\.){3}\d{1,3}\b)(.+$)"
$RegExRepl="$2" ; $1 is the string before, $3 the string behind your IP address

$IPOnly=StringRegExpReplace($OrgString,$RegEx,$RegExRepl)

MsgBox(0,"Replace Result",$IPOnly)

 

As your LOG file will only hold valid IP addresses, it's obviously not necessary, to check for valid IP addresses (numbers < 1..254 vs. 0..255)

 

regards, Rudi.

Hello @rudi

Thank you for your help however the log file may contain more then one ip address and I am only looking to retreive the ip address that comes right after "Callback address:"

Here is the whole test string:

"C&C callback detected Compromised Host: COMPUTER1 IP Address: 122.111.222.33 Domain: Company\Workstations\ Date/Time: 1/22/2018 7:26:30 Callback address: 11.22.33.444 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked"

Link to comment
Share on other sites

Hi.

Try this:

Local $OrgString="C&C callback detected Compromised Host: COMPUTER1 IP Address: 122.111.222.33 Domain: Company\Workstations\ Date/Time: 1/22/2018 7:26:30 Callback address: 11.22.33.444 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked "
Local $RegEx="Callback address: ([\d.]*)"

Local $IPOnly=StringRegExp($OrgString,$RegEx, 1)

MsgBox(0,"Result",$IPOnly[0])

It shows the first IP after "Callback address: " (there is a trailing space).

Regards, Conrad

Edited by Simpel
typo
SciTE4AutoIt = 3.7.3.0   AutoIt = 3.3.14.2   AutoItX64 = 0   OS = Win_10   Build = 19044   OSArch = X64   Language = 0407/german
H:\...\AutoIt3\SciTE     H:\...\AutoIt3      H:\...\AutoIt3\Include     (H:\ = Network Drive)

   88x31.png  Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind.

Link to comment
Share on other sites

This one extracts the valid IP address after the first occurence of "Callback address: " (11.22.33.444 is not a valid IP)

 

Local $sText =  "C&C callback detected Compromised Host: COMPUTER1 IP Address: 122.111.222.33 Domain: Company\Workstations\ Date/Time: 1/22/2018 7:26:30 Callback address: 11.22.33.444 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked"


Local $aResult = StringRegExp ($sText, "(?i)Callback address: ((?:(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(?2))\b", 1)
MsgBox(0, "", (@error ? "No valid IP found" : $aResult[0]) )

 

Link to comment
Share on other sites

What are you doing with the returned list of callback addresses?  These look like TrendMicro logs getting parsed to get bounced off a list of IOCs or fed to a firewall...If there is further automation to be done and you have access to the AV Control Manager, then the rabbit hole goes deep and we love trimming steps out of processes at large (FD: I may or may not be our Trend admin).

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

2 hours ago, iamtheky said:

What are you doing with the returned list of callback addresses?  These look like TrendMicro logs getting parsed to get bounced off a list of IOCs or fed to a firewall...If there is further automation to be done and you have access to the AV Control Manager, then the rabbit hole goes deep and we love trimming steps out of processes at large (FD: I may or may not be our Trend admin).

Yes these are logs from TrendMicro that is being feed into out SIEM system which is why I needed help with the RegEx to create a custom field with the call back address.

Link to comment
Share on other sites

cool, are you writing the PCRE for index or search time parsing?  I only ask because we have some PCRE wizards here who could easily write you one that parses that log into all the fields using this as a model:

http://docs.trendmicro.com/en-us/enterprise/control-manager-60/ch_ag_tut_data_view/data_threat/data_threat_overall/data_threat_cnc.aspx

FD: I may or may not be the current leader of the Splunk user's group and also have a total boner for SIEM stuff.  And is this all OfficeScan stuff or do you get DDI logs too?  Because I might hit you up with questions if yall are running DDI.

 

 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Link to comment
Share on other sites

28 minutes ago, iamtheky said:

cool, are you writing the PCRE for index or search time parsing?  I only ask because we have some PCRE wizards here who could easily write you one that parses that log into all the fields using this as a model:

http://docs.trendmicro.com/en-us/enterprise/control-manager-60/ch_ag_tut_data_view/data_threat/data_threat_overall/data_threat_cnc.aspx

FD: I may or may not be the current leader of the Splunk user's group and also have a total boner for SIEM stuff.  And is this all OfficeScan stuff or do you get DDI logs too?  Because I might hit you up with questions if yall are running DDI.

 

 

Yes the PCRE is for indexing.  Sorry we don't use Trends DDI :(

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...