IF Regex not working

marcowiskhy · December 19, 2023, 12:41pm

Hey guys,

In my pipeline I use a dictionary to enrich internal IPs and, to capture, I use the following regex:

if [source] =~ "^10\." or [source] =~ "^127\.0\." or [source] =~ "^192\.168\." or [source] =~ "^172\.(1[6789]|2[0-9]|30|31)\.[0-9]{1,3}\.[0-9]{1, 3}" or [source] == "0.0.0.0" {

This regex works very well. Now I need to do the same process, but in reverse. I want it to be validated as soon as the IP arrives to see if that IP is not internal, if not, it will be enriched if found in another dictionary. I tested changing just the operator, but the regex no longer works:

if [source] !~ "^10\." or [source] !~ "^127\.0\." or [source] !~ "^192\.168\." or [source] !~ "^172\.(1[6789]|2[0-9]|30|31)\.[0-9]{1,3}\.[0-9]{1, 3}" or [source] == "0.0.0.0" {

The regex only works if it has just one condition (e.g. if [source] !~ "^10\."), when more than one is added the IF stops working.

What can it be?

yago82 · December 19, 2023, 12:47pm

Hi Marco,

You should use the and operator to ensure that the source does not match all the regular expressions.

if [source] !~ "^10\." and [source] !~ "^127\.0\." and [source] !~ "^192\.168\." and [source] !~ "^172\.(1[6789]|2[0-9]|30|31)\.[0-9]{1,3}\.[0-9]{1,3}" and [source] != "0.0.0.0" {

In this way, the condition will be true only if the source does not match any of the regular expressions.

leandrojmp · December 19, 2023, 1:22pm

Can you share an example where it is not working? Also, the lest conditional is the same in both, shouldn't it be [source] != "0.0.0.0" in the second one?

marcowiskhy · December 19, 2023, 1:45pm

From the tests I did here it seems to work well, thank you very much!

marcowiskhy · December 19, 2023, 1:54pm

Suppose a document has the value "192.168.0.1" in the source field

In my rule I would like this document to be enriched by the translate filter only if the source field contains an IP value that is not internal. To validate whether the rule was working, I purposely inserted this IP 192.168.0.1 into the dictionary to check whether it would enrich.

This dictionary is a list of malicious public IPs and the objective is to make logstash, as soon as it receives a malicious IP, enrich the document with the pertinent data from that IP. This regex is intended to prevent documents containing private IPs from passing through this dictionary.

Using only the conditional if [source] !~ "^192\.168\." I can achieve this goal, it was not enriched as expected. But as soon as I added another conditional if [source] !~ "^192\.168\." or [source] !~ "^10\." it stopped working.

Regarding the last question, it was my mistake when transcribing it here.

Badger · December 19, 2023, 5:51pm

That will evaluate to true for any value of [source]. Nothing will match both regexps, so one branch or the other will evaluate true.

system · January 16, 2024, 5:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.