2

Very new to regex and was hoping someone could help me with the syntax of negating a regex search. Let me elaborate. I want to look at a packet/information and trigger a positive alert if one (or more) of multiple criteria is not found.

For instance, I want to search a packet and trigger positive if I cannot find one or more of the following strings: "aaa", "bbb", or "ccc".

I tried the following logic but it does not work because it will trigger on any criteria not aaa|bbb|ccc even if those strings are found elsewhere in the packet.

(\b[a-z0-9]+)\b(?<!\aaa|bbb|ccc)

Other similar arguments I have tried that do not work.

(!(?=.*[Aa][Aa][Aa])|(?=.*[Bb][Bb][Bb]))
(!?=.*[Aa][Aa][Aa])(!?=.*[Bb][Bb][Bb])

Any thoughts would be greatly appreciated.

Alan Moore
  • 68,531
  • 11
  • 88
  • 149
joseph
  • 21
  • 2
  • 1
    I think rather than trying to come up with a regex that *doesn't* match `aaa|bbb|ccc`, it would be easier to test the packet with one that does and negate the result of the match. Does that makes sense? `if not match(/aaa|bbb|ccc/, packet) then ...` – axblount Mar 20 '15 at 14:38
  • I was considering that but still struggling with the syntax - (!((?=[.][Aa][Aa][Aa])|(?=[.][Bb][Bb][Bb]))) – joseph Mar 20 '15 at 15:20
  • 1
    What I mean is, you're trying to check that `aaa|bbb|ccc` doesn't match (if I understand). So instead of trying to negate the regex itself, negate the result of the match. From your question, you would 'trigger positive' on a packet if `!match(/aaa|bbb|ccc/, packet)`. You can move the negation outside of the match function. – axblount Mar 20 '15 at 15:29
  • I think you are right, thank you. – joseph Mar 20 '15 at 16:22
  • `grep` or `egrep` can invert match with the `-v` option: `grep -v file`. You could take advantage of this if you were e.g. scripting in shell. Grep and egrep however do not include some of the advanced regex features (such as lookaheads and lookbehinds). – Honza Osobne May 24 '15 at 19:37

2 Answers2

0

Your first one

(\b[a-z0-9]+)\b(?

This matches any letter or number that appears once or more, this meaning it will match anything im assuming the (? was a mistake as this matches a ( if one appears.

(!(?=.*[Aa][Aa][Aa])|(?=.*[Bb][Bb][Bb]))
(!?=.*[Aa][Aa][Aa])(!?=.*[Bb][Bb][Bb])

These two are both doing lookaheads they are no actually going to match anything, see here for more info.

What I think your looking for is something like:

(?i)(a|b|c){3}

This matches a,b or c if there appear consecutively three or more time so in saaambbbmccc it will match:

aaa
bbb
ccc

The (?i) makes the match case insensitive so if you had aAa this would still be matched.

If I have misunderstood what you are asking let me know and i'll amend my answer, hope this helps.

Srb1313711
  • 1,767
  • 5
  • 20
  • 32
  • Thanks for taking the time to answer my post. I pasted my question which for some reason omitted part of my argument. I believe caused confusion - I apologize. I think I am pretty clear on different ways to match a string and using case. However, it is the negative search that is causing problems. ! I want to be able to look at an entire packet, say “does this packet have aaa, bbb, or ccc anywhere” and if it does NOT, then produce a positive. I can easily create criteria that scans for one of those strings, but I am having an issue negating the entire argument. ! – joseph Mar 20 '15 at 14:57
  • For example, when I put my logic (\b[a-z0-9]+)\b(? – joseph Mar 20 '15 at 15:07
  • Hi which language are you trying to use regex alongside? – Srb1313711 Mar 20 '15 at 15:41
  • This would be for an Intrusion Prevention device, so none. – joseph Mar 20 '15 at 15:55
0

If you are looking for the absence of a regular expression, it is easiest to negate the result of the match.

In your example, you want to show that /aaa|bbb|ccc/ is not present in a packet. Rather than trying to craft a regex that only matches if aaa and bbb and ccc are all absent, just match against /aaa|bbb|ccc/ and negate the result.

if !match(/aaa|bbb|ccc/, packet)
    # none of `aaa`, `bbb`, or `ccc` is present.
end
axblount
  • 2,503
  • 22
  • 26