Regex101 icon indicating copy to clipboard operation
Regex101 copied to clipboard

Published 20 hours ago verified publisher icon firasdib

OS_Regex support

Open shiran3F opened this issue 5 years ago • 3 comments

Feature

https://documentation.wazuh.com/3.10/user-manual/ruleset/ruleset-xml-syntax/regex.html

Hello guys,

It seems that os_regex is not a common regular expression. It has limited function. And I didn't find any testers for it.

shiran3F avatar Nov 07 '19 02:11 shiran3F

https://ossec-docs.readthedocs.io/en/latest/syntax/regex.html (same info as above but not linked to a specific product implementation)

From the looks of things it is fully compatible with PCRE when keeping the limitations in mind.

I will be honest, I'm not sure if it is worth the effort to add given the seemingly very low use. The limitations are of a sort that simply using the current PCRE engine and stripping out some tokens will not be enough...

Doqnach avatar Nov 07 '19 08:11 Doqnach

@shiran3F I landed here because I, too, was looking for a tester for OS_Regex and OS_Match, specifically for use when writing decoders for Wazuh.

But I believe that @Doqnach is correct, and for the reasons mentioned, a PCRE tester will do the job.

There are limitations not specifically mentioned in the relevant documentation, such as the fact that quantifiers are not supported, so one must use \w\w\w instead of \w{3}, but once those limitations are understood, using a plain-old PCRE tester becomes trivial.

That said, I would still welcome support for this flavor, but understand that it may not be worth the trouble. :)

cbj4074 avatar Jan 25 '21 15:01 cbj4074

You can always look into providing a "Code generator" flavour?

See https://github.com/firasdib/Regex101/wiki/Writing-a-Code-Generator for more on that.

Doqnach avatar Jan 25 '21 22:01 Doqnach