IF Regex not working

Hey guys,

In my pipeline I use a dictionary to enrich internal IPs and, to capture, I use the following regex:

if [source] =~ "^10\." or [source] =~ "^127\.0\." or [source] =~ "^192\.168\." or [source] =~ "^172\.(1[6789]|2[0-9]|30|31)\.[0-9]{1,3}\.[0-9]{1, 3}" or [source] == "" {

This regex works very well. Now I need to do the same process, but in reverse. I want it to be validated as soon as the IP arrives to see if that IP is not internal, if not, it will be enriched if found in another dictionary. I tested changing just the operator, but the regex no longer works:

if [source] !~ "^10\." or [source] !~ "^127\.0\." or [source] !~ "^192\.168\." or [source] !~ "^172\.(1[6789]|2[0-9]|30|31)\.[0-9]{1,3}\.[0-9]{1, 3}" or [source] == "" {

The regex only works if it has just one condition (e.g. if [source] !~ "^10\."), when more than one is added the IF stops working.

What can it be?

Hi Marco,

You should use the and operator to ensure that the source does not match all the regular expressions.

if [source] !~ "^10\." and [source] !~ "^127\.0\." and [source] !~ "^192\.168\." and [source] !~ "^172\.(1[6789]|2[0-9]|30|31)\.[0-9]{1,3}\.[0-9]{1,3}" and [source] != "" {

In this way, the condition will be true only if the source does not match any of the regular expressions.

Can you share an example where it is not working? Also, the lest conditional is the same in both, shouldn't it be [source] != "" in the second one?

From the tests I did here it seems to work well, thank you very much!

Suppose a document has the value "" in the source field

In my rule I would like this document to be enriched by the translate filter only if the source field contains an IP value that is not internal. To validate whether the rule was working, I purposely inserted this IP into the dictionary to check whether it would enrich.

This dictionary is a list of malicious public IPs and the objective is to make logstash, as soon as it receives a malicious IP, enrich the document with the pertinent data from that IP. This regex is intended to prevent documents containing private IPs from passing through this dictionary.

Using only the conditional if [source] !~ "^192\.168\." I can achieve this goal, it was not enriched as expected. But as soon as I added another conditional if [source] !~ "^192\.168\." or [source] !~ "^10\." it stopped working.

Regarding the last question, it was my mistake when transcribing it here.

That will evaluate to true for any value of [source]. Nothing will match both regexps, so one branch or the other will evaluate true.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.