by: General

Knowing how to write RegEx is crucial for creating or customizing modules or rules for Fail2Ban, Snort, etc.

RegEx basically searches the text comparing with a syntax that matches.

A great online tool for testing is the expressions in realtime is RegExr [Link].

Basics

  • /abc/
    • searches for abc in the text and stop when finding it.
  • /abc/g
    • searches for abc in the text, and /g will keep searching for through the text for more matches.
  • /abc/gi
    • informs the search that it is case insensitive.
  • /a+/g
    • searches for one or more consecutive a.
  • /ab?/g
    • searches for a and optionally b. Anything before ? is optional.
  • /ab*/g
    • * means optionally any number of the b’s. From zero to many b‘s after a.
  • /.b/g
    • . is a wildcard and will search for any character plus b. It does not match with the period itself.
  • /\./g
    • searches for the period itself. Same for ()[]{} etc, just use \(\)\[\]\{\} before to do not interpret but use the character itself.
  • /\.$/g
    • searches for the period at the end of the text.
  • /\.$/gm
    • searches for the period at the end of each line.
  • /^abc/g
    • searches for abc at the beginning of the text.
  • /^abc/gm
    • searches for abc at the beginning of each line in a multiline text.
  • /\w/g
    • matches with any word.
  • /\W/g
    • matches with anything that is not a word.
  • /\s/g
    • matches with any white space.
  • /\S/g
    • matches with anything that is not white space.
  • /\w{5}/g
    • matches with any 5 characters.
  • /\w{5,}/g
    • matches with any 5 characters or more.
  • /\w{5,8}/g
    • matches with any 5 to 8 characters.
  • /\d/g
    • \d means digits (numbers).
  • /[aáàãăâ]bc/g
    • matches with any of the list of characters plus bc.
  • /[a-zA-Z0-9]/g
    • list characters using ranges.
  • /[^0-9]/g
    • searches for characters NOT in the list.
  • /(abc|xyz)/g
    • group of possible characters with the operator | that means or.
  • /(x|y|z){2,3}/g
    • requires two or three consecutive (length) characters of the group to match.
  • /(?<=acb)./g
    • the positive look behind searches for anything that is preceded by abc, but not select the abc itself.
  • /(?<!acb)./g
    • the negative look behind searches for anything that is NOT preceded by abc.
  • /.(?=acb)/g
    • the positive look ahead searches for anything that is succeeded by abc.
  • /.(?!acb)/g
    • the negative look ahead searches for anything that is NOT succeeded by abc.

Expressions

  • /(?<name1>abc)(?<name2>xyz)(?:mnt)/
    • gives names for each piece of the match, abc will be name1, xyz will be name2, and nmt will not be named. The future usage can be $name2$name1 to invert the order of the groups in a find and replace.
  • /(\+?[1-9]{1,3}[ -]?)?\(?\d{3}\)?[ -]?\d{3}[ -]?\d{4}/
    • will validate any telephone number like the following:
      • 1234567890
        123-456-7890
        123 456 7890
        (123) 456 7890
        1 (123) 456 7890
        +1(123)4567890
        +55 1234567890
        +551234567890
  • /[a-z0-9-._%+]{1,50}@[a-z0-9-._]{1,50}\.[a-z]{2,}/
    • validates e-mails like the following.

SOURCES

Excellent deep dive into Regular Expression [Link].