Solved: Why is my rex command after upgrade to 6.3 not wor...

PPape · ‎10-02-2015

Hello

I'm using this Regex command:

rex max_match=25 "\s+(?P<UserName>[^ ]+\s*\w*)\s+(?P<Status>[Allow|Deny]+)\s+(?P<Rigths>[\w+|-\d+][,\s+\w+]*)\n"

with Version 6.2.x it works fine but after upgrade to 6.3 I get this error:

Error in 'rex' command: Encountered the following error while compiling the regex '\s+(?P<UserName>[^ ]+\s*\w*)\s+(?P<Status>[Allow|Deny]+)\s+(?P<Rigths>[\w+|-\d+][,\s+\w+]*)\n': Regex: invalid range in character class

Here a pastebin of sample data -paste-

Am I the only one who is facing this?
I hope you can help me.

Best regards!

knielsen · ‎10-02-2015

Hi,

pasting you rex expression into regex101 points out that [\w+|-\d+] is the problem. "-" is parsed as a range quantifier, which doesn't make sense in that expression. If that "-" should match an actual "-", then escape it with backslash.

Hth,
Kai.

View solution in original post

alacercogitatus · ‎10-02-2015

I'm not sure of the exact cause, but I can guess. 6.3 might have introduced stronger regex validation. That being the case, the " " (blank space) might be the cause.

Try this:

rex max_match=25 "\s+(?P<UserName>[^\s]+\s*\w*)\s+(?P<Status>Allow|Deny)+\s+(?P<Rights>[\w+|-\d+][,\s+\w+]*)\n"

knielsen · ‎10-02-2015

Hi,

pasting you rex expression into regex101 points out that [\w+|-\d+] is the problem. "-" is parsed as a range quantifier, which doesn't make sense in that expression. If that "-" should match an actual "-", then escape it with backslash.

Hth,
Kai.

PPape · ‎10-06-2015

Sorry for late response, this was the right Answer!
Thank you very mutch Kai!

Why is my rex command after upgrade to 6.3 not working

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023