In Tripwire Enterprise, a regular expression is a specially formatted pattern that can be used to identify instances of a string in command output or element version content. For instance, when used in a COCR or COVR, regular expressions identify a string(s) that TE should include or exclude when monitoring command output, or a string to be replaced by another string (with the search-and-replace feature; seeTable 33 on page 98).
Tripwire Enterprise supports Java 2 regular expressions, which are compatible with Perl-based regular expressions.
l For definitions of regular-expression characters, seeTable 34 on the next page.
l For a discussion of advanced search-and-replace operations, seeAdvanced Search-and-Replace with Variables on page 104.
l For examples of how regular expressions may be used in practice, seeRegular Expression Examples on page 104.
A variety of resources provide information about regular expressions. For a complete list of regular-expression constructs, see the Java pattern class online reference:
http://download.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html#sum For an authoritative guide to regular expressions, see:
Mastering Regular Expressions, Jeffrey E.F. Friedl (O’Reilly, 2002)
Matching
Characters Description
. This character matches any single character (a letter, number, symbol, etc.).
^ A carat matches the beginning of a line. For example,^dirmatches lines beginning with the letters “dir.”
$ A dollar sign matches the end of a line. For example,dir$matches lines ending with the letters “dir.”
\n This character matches a new line.
\s This character matches a single whitespace character; for example, spaces or tabs.
Note: Literal whitespace characters are ignored when a regular expression is processed.
\d This character matches a single digit from 0 to 9.
\ This character is used to match special characters. For example, to match a * character, enter\*.
Note: Use this character to match literal instances of the regular-expression characters defined in this table.
Character Classes
Description
[...] This character class matches any single character contained in the brackets. For example, [a-z]matches any lower-case letter.
[^...] This character class matches any character that isnot contained in the brackets. For example,[^ABC]matches any character except upper-case letters A, B, or C.
Modifying Characters
Description
* This character requires zero or more matches of the preceding sub-expression.
+ This character requires one or more matches of the preceding sub-expression.
? This character indicates that the preceding match is optional.
Scopes Description
| This character signifies the operator “or.”
Example:X|Ymeans “X or Y”
(...|...) Parentheses may be used to:
l Limit the scope of an expression to one or more of the specified values (delimited with the or character), or
l Subdivide a regular expression into sub-expressions.
Table 34. Regular-expression syntax
Tripwire Enterprise 8.2 User Guide 103 Chapter 3. Terms, Concepts, and Functions
Advanced Search-and-Replace with Variables
To perform advanced search-and-replace operations on command output generated by a COCR or COVR, use the$nvariable in the Replacement string field of the rule’s properties dialog (seeChanging Filter or Search-and-Replace Criteria for a COVR or COCR on page 428).$n returns matched text from the captured command output itself.
For each match of the pattern:
l $0 returns the complete match,
l $1 returns the 1st sub-expression of that match,
l $2 returns the 2nd sub-expression of that match, and so on.
Within a regular expression, sub-expressions are enclosed in parentheses. For example, consider the following regular expression:
In this example,$0 returnssample, because that is the first complete match of the pattern.$1 returnssample, because that is the first sub-expression (defined by the first pair of enclosing parentheses).$2 returnsa, and$3 returnsp.
Regular Expression Examples
Regular Expression Example 1
Configuration\s register\s is\s [0-9a-zA-z]+
This expression matches any string that:
1. begins with the words “Configuration register is ” (Configuration\s register\s is\s), followed by
2. any combination of concatenated letters (upper- and/or lower-case) and numbers ( [0-9a-zA-z]+).
Regular Expression Example 2
.*inet\s addr:10\.10\.10\.[0-9].*
This expression matches any string that:
1. begins with an unlimited number of instances of any character (.*), followed by
2. the literal value “inet addr:10.10.10.” (inet\s addr:10\.10\.10\.), followed by
3. any single digit from 0 to 9 ([0-9]), followed by
4. an unlimited number of instances of a single character (.*).
Regular Expression Example 3
The following text is the routing table from a Sun Solaris machine:
10.0.0.0 10.101.104.2 U 1 33
224.0.0.0 10.101.104.2 U 1 0
default 10.1.1.1 UG 1 0
127.0.0.1 127.0.0.1 UH 301619933
In the routing table, the last two columns (columns 4 and 5) contain dynamic data. To remove the dynamic data from command output generated by a COVR, you can add search-and-replace criteria to the rule.
To enter search-and-replace criteria to remove the routing table’s dynamic data:
1. In the Search pattern field, enter the following regular expression:
((U.)(\s+\d+)(\s+\d+)?)
2. In the Replacement string field, enter the following expression:
(U.)
The Search pattern expression defines four expressions. The whole expression and sub-expressions are stored in the following$nvariables:
Whole expression $0 =((U.)(\s+\d+)(\s+\d+)?) Sub-expression $1 =(U.)(\s+\d+)(\s+\d+)?
Sub-expression $2 =(U.) Sub-expression $3 =(\s+\d+) Sub-expression $4 =(\s+\d+)?
The Search pattern regular expression matches any string that:
Tripwire Enterprise 8.2 User Guide 105 Chapter 3. Terms, Concepts, and Functions
1. begins with an upper-case letter “U” and any single character(U.), followed by
2. one or more spaces followed by one or more digits(\s+\d+), followed by
3. one or more spaces followed by one or more digits(\s+\d+). The? character makes this last sub-expression optional.
With these search-and-replace entries, Tripwire Enterprise replaces each string matching the Search pattern with a string that matches the Replacement string. Therefore, if the COVR is run with a version check of the Sun Solaris machine, the routing table columns with dynamic data will not appear in the command output.
10.0.0.0 10.101.104.2 U
224.0.0.0 10.101.104.2 U
default 10.1.1.1 UG
127.0.0.1 127.0.0.1 UH