Skip to content

Latest commit

 

History

History
521 lines (359 loc) · 12.3 KB

Regex.md

File metadata and controls

521 lines (359 loc) · 12.3 KB

Regex expressions for quick reference

A list of regex expressions which are used to:

  • Filter firewall logs
  • Perform bulk operations on rules with VSCode.

For example once your regex hits, you would use CTRL + SHIFT + L to enter Multi cursor
mode and manipulate all regex matches however you like.

Reserved regex characters that must be escaped: [ ] ( ) . \ ^ $ | ? * + { }

Table of Contents

Filterline

Filterline regexes are to be used in .vscode\filterline.json to filter out firewall logs.
Note that the syntax for filterline regex expressions is java script.

Programs

"DROP TCP.*([0-9]{1,3}\\.){3}[0-9]{1,3}\\s\\d+\\s(80|443)"

DHCPv6

"DROP UDP.*([a-f0-9:]+:)+[a-f0-9]+\\s(547|546)"

DHCPv4

"DROP UDP.*([0-9]{1,3}\\.){3}[0-9]{1,3}\\s(67|68)"

LLMNRv4

"DROP UDP.*([0-9]{1,3}\\.){3}[0-9]{1,3}\\s\\d+(?<!5353)\\s5353"

Table of Contents

Firewall rules

Note:

  • Firewall rule examples here are shortened.
  • Each regex includes an optional space at the end

Get -DisplayName parameter and it's value

In the example below multi cursor-ing all the matches in a script would allow to cut and paste all regex matches onto a second line by using CTRL + X, Down Arrow to move and CTRL + V.

New-NetFirewallRule -DisplayName "Interface-Local Multicast" -Service Any `
New-NetFirewallRule -DisplayName $_.Name -Service Any `
-DisplayName "(.*)"(?= -Service) ?
-DisplayName ("(.*)"|\$_\.\w+)(?= -Service) ?

Table of Contents

Get platform

-Platform $Platform
-Platform \$Platform ?

Get group

New-NetFirewallRule -Group $Group
New-NetFirewallRule -Group "Some rule group"
-Group (([\$|\w]\w+)|(".*")) ?

Table of Contents

Get Interface

New-NetFirewallRule -InterfaceType $DefaultInterface
New-NetFirewallRule -InterfaceType "Wired, Wireless"
# TODO: is this valid? if yes regex needs update
New-NetFirewallRule -InterfaceType Wired, Wireless
-InterfaceType (([\$|\w]\w+)|(".*")) ?

Table of Contents

Get policy store

-PolicyStore $PolicyStore
-PolicyStore [\$|\w]\w+ ?

Table of Contents

Get Profile property if value also contains variable names

New-NetFirewallRule -Profile Any
New-NetFirewallRule -Profile $DefaultProfile
New-NetFirewallRule -Profile Private, Domain
-Profile [\$|\w]\w+,? ?\w+ ?

Table of Contents

Direction protocol pairs

New-NetFirewallRule -Direction $Direction -Protocol UDP
New-NetFirewallRule -Direction Inbound -Protocol 41
-Direction $Direction -Protocol ICMPv6 -IcmpType 12
-Direction $Direction -Protocol ICMPv4 -IcmpType 3:4
-Direction [\$|\w]\w+ -Protocol [\$|\w]\w+ ?
-Direction [\$|\w]\w+ -Protocol [\$|\w]\w+ -IcmpType \d+(:\d+)? ?

Table of Contents

Get local and remote port parameters and values

New-NetFirewallRule -LocalPort Any -RemotePort 547, 53
New-NetFirewallRule -LocalPort 546 -RemotePort IPHTTPSout
New-NetFirewallRule -LocalPort 22, 546-55, 54 -RemotePort Any
-LocalPort [\w&&,&&\-&& ]+ -RemotePort [\w&&,&&\-&& ]+ ?

Table of Contents

Get mapping pairs and their values

New-NetFirewallRule -LocalOnlyMapping $false -LooseSourceMapping $false
New-NetFirewallRule -LocalOnlyMapping $true -LooseSourceMapping $false
-LocalOnlyMapping \$(false|true) -LooseSourceMapping \$(false|true) ?

Table of Contents

Get LocalUser and EdgeTraversalPolicy

# TODO: can also be function call for SDDL
New-NetFirewallRule -LocalUser $UsersGroupSDDL -EdgeTraversalPolicy DeferToApp
New-NetFirewallRule -LocalUser Any -EdgeTraversalPolicy DeferToApp
-LocalUser [\$|\w]\w+ ?
-LocalUser [\$|\w]\w+ -EdgeTraversalPolicy \w+ ?

Table of Contents

Get local and remote IPv6 address only in any notation

New-NetFirewallRule -LocalAddress ff01::/16 -RemoteAddress Any
New-NetFirewallRule -LocalAddress Any -RemoteAddress ff01::2
-LocalAddress (?!.*\.)[\w&&:&&/]+ -RemoteAddress (?!.*\.)[\w&&:&&/]+ ?

Table of Contents

Get local and remote IPv4 address only in any notation

New-NetFirewallRule -LocalAddress 224.3.0.44, 224.0.0.0-224.0.0.255, 224.3.0.44 -RemoteAddress Any
New-NetFirewallRule -LocalAddress LocalSubnet4 -RemoteAddress 224.3.0.44, 224.0.0.0-224.0.0.255
New-NetFirewallRule -LocalAddress LocalSubnet4 -RemoteAddress 224.3.0/24, 224.0/16-224.0.0.255
-LocalAddress (?!.*:)[,\.\w \-/]+ -RemoteAddress (?!.*:)[,\.\w \-/]+ ?

Table of Contents

Get owner and package for store app

New-NetFirewallRule -Owner (Get-GroupSID "Administrators") -Package "*"
New-NetFirewallRule -Owner $Principal.SID -Package $PackageSID
-Owner [\$|\w](\w|\.)+(?= -Package) -Package [\$|\w](\w|\.)+ ?
-Owner (([\$|\w](\w|\.)+)|(\(.*\))) -Package ([\$|\w](\w|\.)+|".*") ?

Table of Contents

Get enabled or action flag

-Enabled (True|False) ?
-Action (Allow|Block) ?

Table of Contents

Random regexes

File system path validation

Here file extention must be either *.lnk or *.url

'^[a-z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>.|\r\n]*(\.(lnk|url))*$'

Table of Contents

File path selection

Select path up to last directory, up to 3rd directory and last item respectively

".+?(?=\\.*)"
".+?(?=(\\.*\\*){3})"
"\\+(?:.(?!\\))+$"

Table of Contents

URL validation

Regex breakdown:

(
https?:\/\/(www\.)?
[a-zA-Z0-9@:%._\+~#=]{2,256}
\.[a-z]{2,6}
\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
(\([^(]+\))?
)
"https?:\/\/(www\.)?[a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)"

Sample match:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb726984
"https?:\/\/(www\.)?[a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)(\([^(]+\))?"

Sample match:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb726984(v=technet.10)

Table of Contents

DACL validation

DACL is part of SDDL string

"(D:\w*(\((\w*;\w*){4};((S(-\d+){2,12})|[A-Z]*)\))+){1}"

Table of Contents

UNC validation

Universal Name Convention

"^\\\\[a-zA-Z0-9\.\-_]{1,}(\\[a-zA-Z0-9\-_\s\.]{1,}){1,}[\$]{0,1}"

Table of Contents

UPN validation

Universal Principal Name
UPN name invalid characters: ~ ! # $ % ^ & * ( ) + = [ ] { } \ / | ; : " < > ? ,

Domain name portion:

"(?(\[)(\[(\d{1,3}\.){3}\d{1,3}\])|(([0-9a-zA-Z][-0-9a-zA-Z]*[0-9a-zA-Z]*\.)+[0-9a-zA-Z][-0-9a-zA-Z]{0,22}[0-9a-zA-Z]))$"

Table of Contents

User profile validation

"^($env:SystemDrive\\?|\\)Users(?!\\+Public\\*)"

Table of Contents

File extension

Invalid characters to name a directory: / \ : < > ? * | "

'\.[^./\\:<>?*|"]+$'

Table of Contents

File name

Invalid characters to name a file: / \ : < > ? * | "

'[^/\\:<>?*|"]+$'

Table of Contents

NETBIOS name

The first character of the name must not be asterisk *
Any character less than a space (0x20) is invalid.
Microsoft allows the dot and space character may work too.
NETBIOS invalid characters: " / \ [ ] : | < > + = ; ,

"^([A-Z0-9\-_]\*?)+$"

Relaxed version for Windows:

"^([A-Z0-9a-z\-_\.\s]\*?)+$"

Table of Contents

System environment variable

The first character of the name must not be numeric. A variable name may include any of the following characters:

A-Z, a-z, 0-9, # $ ' ( ) * + , - . ? @ [ ] _ ` { } ~

Table of Contents

Email validation

2 useful links:

Table of Contents

IPv6 validation

Simple version:

([a-f0-9:]+:)+[a-f0-9]+

For more complex examples see Regular expression that matches valid IPv6 addresses

Table of Contents

IPv4 validation

Simple version:

([0-9]{1,3}\.){3}[0-9]{1,3}

For regex below all credits to Validating IPv4 addresses with regexp

\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}\b

Match comment block in script

function comment:

\<#[\s\S]+?(?=#\>)

ScriptInfo comment:

\<#PSScriptInfo[\s\S]+?(?=#\>)

SHA1 thumbprint validation

28be82b2378753a06b6e097714c0fa754248fa48

Parameter validation:

^[0-9a-f]{40}$

Match in string:

\b[0-9a-f]{40}\b

GUID validation

For regex below all credits to Regex for Guid

[({]?(^([0-9A-Fa-f]{8}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{12})$)[})]?

Table of Contents