Regular Expressions 101

Save & Share

Flavor

  • PCRE2 (PHP >=7.3)
  • PCRE (PHP <7.3)
  • ECMAScript (JavaScript)
  • Python
  • Golang
  • Java 8

Function

  • Match
  • Substitution
  • List
  • Unit Tests
"
^(?P<date>\S+\s+\d\s\d\d:\d\d:\d\d) (?P<hostname>\S+) suricata\[(?P<pid>\d+)\]: \[(?P<sid>\d+:\d+:\d+)\] (?P<msg>.+) \[Classification:(?P<classification>.+)\] \[Priority:(?P<priority> \d+)\] \{(?P<proto>.+)\} (?P<src_ip>[\d.]{7,15}):(?P<src_port>\d+) -> (?P<dst_ip>[\d.]{7,15}):(?P<dst_port>\d+)$
"
^ asserts position at start of the string
Named Capture Group date
(?P<date>\S+\s+\d\s\d\d:\d\d:\d\d)
\S
matches any non-whitespace character (equivalent to [^\r\n\t\f\v ])
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
\s
matches any whitespace character (equivalent to [\r\n\t\f\v  ])
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
\d matches a digit (equivalent to [0-9])
\s matches any whitespace character (equivalent to [\r\n\t\f\v  ])
\d matches a digit (equivalent to [0-9])
\d matches a digit (equivalent to [0-9])
: matches the character : with index 5810 (3A16 or 728) literally (case sensitive)
\d matches a digit (equivalent to [0-9])
\d matches a digit (equivalent to [0-9])
: matches the character : with index 5810 (3A16 or 728) literally (case sensitive)
\d matches a digit (equivalent to [0-9])
\d matches a digit (equivalent to [0-9])
matches the character with index 3210 (2016 or 408) literally (case sensitive)
Named Capture Group hostname
(?P<hostname>\S+)
\S
matches any non-whitespace character (equivalent to [^\r\n\t\f\v ])
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
suricata
matches the characters suricata literally (case sensitive)
\[ matches the character [ with index 9110 (5B16 or 1338) literally (case sensitive)
Named Capture Group pid
(?P<pid>\d+)
\d
matches a digit (equivalent to [0-9])
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
\] matches the character ] with index 9310 (5D16 or 1358) literally (case sensitive)
:
matches the characters : literally (case sensitive)
\[ matches the character [ with index 9110 (5B16 or 1338) literally (case sensitive)
Named Capture Group sid
(?P<sid>\d+:\d+:\d+)
\d
matches a digit (equivalent to [0-9])
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
: matches the character : with index 5810 (3A16 or 728) literally (case sensitive)
\d
matches a digit (equivalent to [0-9])
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
: matches the character : with index 5810 (3A16 or 728) literally (case sensitive)
\d
matches a digit (equivalent to [0-9])
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
\] matches the character ] with index 9310 (5D16 or 1358) literally (case sensitive)
matches the character with index 3210 (2016 or 408) literally (case sensitive)
Named Capture Group msg
(?P<msg>.+)
.
matches any character (except for line terminators)
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
matches the character with index 3210 (2016 or 408) literally (case sensitive)
\[ matches the character [ with index 9110 (5B16 or 1338) literally (case sensitive)
Classification:
matches the characters Classification: literally (case sensitive)
Named Capture Group classification
(?P<classification>.+)
.
matches any character (except for line terminators)
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
\] matches the character ] with index 9310 (5D16 or 1358) literally (case sensitive)
matches the character with index 3210 (2016 or 408) literally (case sensitive)
\[ matches the character [ with index 9110 (5B16 or 1338) literally (case sensitive)
Priority:
matches the characters Priority: literally (case sensitive)
Named Capture Group priority
(?P<priority> \d+)
matches the character with index 3210 (2016 or 408) literally (case sensitive)
\d
matches a digit (equivalent to [0-9])
+ matches the previous token between one and unlimited times, as many times as possible, giving back as needed (greedy)
\] matches the character ] with index 9310 (5D16 or 1358) literally (case sensitive)
matches the character with index 3210 (2016 or 408) literally (case sensitive)
\{ matches the character { with index 12310 (7B16 or 1738) literally (case sensitive)
Named Capture Group proto
(?P<proto>.+)
\} matches the character } with index 12510 (7D16 or 1758) literally (case sensitive)
matches the character with index 3210 (2016 or 408) literally (case sensitive)
Named Capture Group src_ip
(?P<src_ip>[\d.]{7,15})
: matches the character : with index 5810 (3A16 or 728) literally (case sensitive)
Named Capture Group src_port
(?P<src_port>\d+)
->
matches the characters -> literally (case sensitive)
Named Capture Group dst_ip
(?P<dst_ip>[\d.]{7,15})
: matches the character : with index 5810 (3A16 or 728) literally (case sensitive)
Named Capture Group dst_port
(?P<dst_port>\d+)
$ asserts position at the end of the string, or before the line terminator right at the end of the string (if any)
Your regular expression does not match the subject string.

Regular Expression
No Match

r"
"

Test String