|
|
|
|
The patterns specified in the rulesets are Perl-5 compatible regular expressions. The standard meta characters used in regular expressions are as follows:
Meta Characters Used in Regular Expressions
Meta Character |
Meaning |
^ |
Match beginning of the line |
$ |
Match end of the line (newline) |
[] |
Character class (match any character within [ ]) |
. |
Match any character |
\d |
Match any digit: [0-9] |
\D |
Match any non-digit: [^0-9] |
\s |
Match any whitespace (tab, space) |
\S |
Match any non-whitespace character |
\w |
A word character [A-Za-z_0-9] |
X? |
Match X zero or one time |
X* |
Match X zero or more times |
X+ |
Match X one or more times |
() |
Grouping to extract fields |
As an example, to match the string
Login failure for superuser from 128.121.1.2
you can user the following regular expression:
\s+Login\s+failure\s+for\s+(\S+)\s+from([0-9.]+)$
The parentheses allow you to extract the username and the IP address as $1 and $2 fields respectively.