Sunday, February 07, 2010

Forensic Regexes

The other day on the #volatility channel we were discussing how it might be nice to have a list of Perl Regex for common things like IP addresses etc. Here are a few items we came up with:

IP Address: (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)

MAC Address: ([a-fA-F0-9]{2}\:){5}[a-fA-F0-9]{2}

URL: (http|https|ftp|mail)\:[\/\w.]+

Email: [A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}

You can find some other Regex expressions on the SANS blog however the regex expression for IP addresses matches items like 999.999.999.999, which we know is not a valid IP address.

There's a nice post by geek00l listed at the bottom of the SANS post which links to other interesting posts.

Other references of interest:

Regular-Expressions.info
Regex Reference

What would you like to add to the list?

6 comments:

Anonymous said...

which we know is not a valid ip address

Jamie Levy said...

thanks for the fix.

Jeff - KK4ETK said...

Three good REGEX builders are:

Regulazy
http://weblogs.asp.net/rosherove/archive/2006/07/09/IntroducingRegulazy10.aspx

Regex Creator
http://sourceforge.net/projects/regexcreator/

Rad Software Regular Expression Designer
http://www.radsoftware.com.au/regexdesigner/

All three have strengths, and it really depends on what you're doing.
--infosec208

Jamie Levy said...

@Kiddo thanks for the links :-)

cdf123 said...

Here's the ones I've used, broken into nice bite-sized pieces, I put these in an include file and source it.

my $REG0TO255="(2([0-4][0-9]|5[0-5])|1[0-9]?[0-9]|[1-9][0-9]?|[0-9])";
my $REGIP = $REG0TO255 . "(\\." . $REG0TO255 . "){3}";

my $REGVAL="(255|254|252|248|240|224|192|128|0)";
my $REGMASK = "((255\.){3}" . $REGVAL . "|(255\.){2}" . $REGVAL . "(\.0){1}|(255\.){1}" . $REGVAL . "(\.0){2}|" . $REGVAL . '(\.0){3})';

my $REGCIDR = '(3[0-2]|[12][0-9]|[0-9])';

Jamie Levy said...

@cdf123 Cool! Thanks for sharing :-)