get two ip separately - regex

my log files got two ip src-ip:132.23.35.1, dest-ip:10.23.56.1.
I 'm using regex:
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
it gets two IPs, if I want to retrieve IP address of src-ip (in this case, 132.23.35.1) how to do?
I expect to get ip of source-ip and dest-ip separately.

You could try
(?<=src-ip:)(.*)(?=,)
Example output from regexr
The regex code has been adapted from: Regex Match all characters between two strings

Related

RegEx - First Two Octet Match

I'm trying to learn RegEx using ImmersiveLabs/LinkedInLearning and other web-based resources and things are going well.
There's a small question to which I'm not sure how to even Google for an answer.
Scenario, Azure ATP Query wherein I wanted to match Private Addressing Scheme
| where From_IP matches regex #'(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)'
It works well! Matches what I want it to. The question is - why?!
For e.g. (~172.2[0-9].) shouldn't this only match on the first two octets of the string 172.20.1.9 ? Why is then the entire IP matched successfully?
Seems weird for me to question something that is working. Any tips are appreciated.
There is no $ in your regex so your regex does not asserts position at the end of a line, so it basically doesn't care what comes after 172.20. , see for more info: regex101.com/r/TgjdVz/1
In addition to match all private IPv4 subnets use to following regex.
^(10(\.(25[0-5]|2[0-4][0-9]|1[0-9]{1,2}|[0-9]{1,2})){3}|((172\.(1[6-9]|2[0-9]|3[01]))|192\.168)(\.(25[0-5]|2[0-4][0-9]|1[0-9]{1,2}|[0-9]{1,2})){2})$

The RegEx pattern for matching the entire specific sets of IP address class?

The RegEx below only highlight specific Private IP addressing scheme:
(?!^0\.)(?!^10\.)(?!^100\.6[4-9]\.)(?!^100\.[7-9]\d\.)(?!^100\.1[0-1]\d\.)(?!^100\.12[0-7]\.)(?!^127\.)(?!^169\.254\.)(?!^172\.1[6-9]\.)(?!^172\.2[0-9]\.)(?!^172\.3[0-1]\.)(?!^192\.0\.0\.)(?!^192\.0\.2\.)(?!^192\.88\.99\.)(?!^192\.168\.)(?!^198\.1[8-9]\.)(?!^198\.51\.100\.)(?!^203.0\.113\.)(?!^22[4-9]\.)(?!^23[0-9]\.)(?!^24[0-9]\.)(?!^25[0-5]\.)(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))
Like in this example https://regex101.com/r/tKKYx0/3 I need to update the code to only match the Public IP addresses list on the top.
A regex you can try is:
^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?=,)
Test here.
Note: I did not really understand how the first IPs are different from the rest of the IPs. My regex looks for IPs at the beginning of a line, immediately followed by a comma.
Note2: My regex does not really validate IPs. E.g. 568.914.348.759 will be successfully returned.
For the new sample, try:
^(|(\S+.*?))(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
Test here.

Extract the Source IP Address from two different log samples with regex

I have a regular expression as follows:
"id.resp_h"|"rx_hosts":(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}),
I am trying to extract the Source IP Address from two different log samples. "id.orig_h" and "tx_hosts" are two different fields for Source IP. How do i ignore the speech marks and square brackets? i just want extract the IP addresses
schema_id=17127524534057985804:skip_writers="":{"_path":"conn","_system_name":"hostname","_write_ts":"2020-01-12T22:09:28.853417Z","ts":"2020-01-12T22:07:14.642074Z","uid":"Cm4cbmvRjlmd2I52c","id.orig_h":"192.168.1.1","id.orig_p":xxx,"id.resp_h":"192.168.1.2","id.resp_p":xxx,"proto":"udp",
schema_id=17223896091372211545:skip_writers="":{"_path":"files","_system_name":"Hostname","_write_ts":"2020-01-12T22:09:00.016260Z","ts":"2020-01-12T22:07:14.108217Z","fuid":"FnmzOv3Fkhr8lP0qL","tx_hosts":["192.168.1.1","192.168.1.1"],"rx_hosts":["192.168.1.10"],
Any help would be gratefully appreciated :-)
Thanks,
JM
Try this if you want to solve it with regex:
(?:"id.resp_h"["[:]|"rx_hosts"["[:])(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})
See here

Regular expression for isolating Comcast IP addresses in access log file for Apache

Really the fact I want to use this for my Apache access log file is arbitrary and irrelevant, but it gives context to the situation.
I need to filter out records associated with Comcast IP addresses. Here's a list of the dynamic IP address ranges that Comcast assigns. I need a regular expression that can match all of those, and only those. I'll work on it on my own in the mean time but I figured there would be some RegEx guru out there on SO that would enjoy the problem.
Regex solution is possible, but very cumbersome, since the subnet mask is not multiple of 8. You will need to write a function to process the list and convert into regex.
It is better to use regex to grab the IP address and test the IP address against the list of IP addresses by Comcast. Simple implementation would be a set which allows you to search for the nearest number that is smaller than the argument.
That are a lot of IP adresses.
For example, 24.0.0.0/12 defines the IP range 24.0.0.1 - 24.15.255.255. To match these numeric ranges with a regex:
24: 24
0-15: [0-9]|1[0-5]
0-255: [0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5]
Which gives
(24)\.([0-9]|1[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])
And that's just for 24.0.0.0/12, 293 to go.
If you really want to do this you should write a small script to convert each IP range into a regex automatically.
Another approach would be to match any IP address and feed it into a callback that does the matching using an appropriate module / framework / API.

Regex to see if ip starts with 156.21.x.x

I'm writing a regex for google analytics and I need to block any IP from 156.21.x.x I don't care about the last 2 octets just the first two. I would like to keep the regex to as few characters as possible as google only allows 255 chars and my regex is already pretty large.
not sure what flavor of regex or what lang your using, but this will work on most regex engines:
156\.21\.\d{1,3}\.\d{1,3}
Of course, this will match invalid ip's like 156.21.777.888, but if the list your parsing doesnt contain invalid ip addresses, then you should be ok. Or:
156\.21(\.\d{1,3}){2}
If you are running short on space, this would work, though you would match non-IP addresses as well. If you can assume Google will give you valid IP addresses, this is your shortest option:
^156\.21\.
Matches things like: 156.21.1.1 156.21.1000.1000 156.21.ABC
But does not match http://156.21.1.1 ehlo 156.21.1000.1000
The following regex would match (almost) valid IPv4 addresses that starts with 156.21:
(156\.21(?:\.[\d]{1,3}){2})