Regex

Course
Time
1 hour 37 minutes
Difficulty
Beginner
CEU/CPE
2

Video Transcription

00:00
welcome back to the course will be returning to O S S E C. To gather more. Luxor's in this case will be using Sonic Fall, which is believed to be a type of far will. I have personally not use it, but this is not impede me from unionizing in our exercises. Opiate registers for it. So let's copy and paces into a red X or tool,
00:19
you know, to start working with it.
00:22
Now, let's try to comprehend what's exactly in this lock source. Lux file.
00:27
First, we can determine the date right over here,
00:31
followed by an I P.
00:34
Could I d
00:35
a serial number
00:39
the time off the event
00:43
firewall I Pete,
00:46
you're followed by another lock. Sources
00:50
believe a message
00:54
source i p source poured
00:57
type of connection. And if you wanna call dead and then the same thing, basically for the destination, followed by a particle.
01:03
Now, whatever world building Raj exits, we need to take into consideration what exactly we're gonna be building.
01:11
For instance, let's bring this little no pad into our table.
01:18
Now let's put it on here when it won't interfere. Stretch a little bit sure
01:23
fits perfectly, and I'm gonna stretch a little outside of the stream. That what? I can click on it and work back and forward it.
01:30
So let's see what type of values I might be able to acquire for her. Right?
01:34
First of all
01:38
right, things we can gather,
01:42
actually,
01:44
data
01:46
that we can or could together
01:49
Number one.
01:51
It's the date.
01:52
All right.
01:53
Second
01:56
luck source. As we can see right around here
01:59
that this state itself, it's the date for the
02:04
entry of the data. Not necessarily when the event cure. Okay, so keep that in consideration. We'll go over this again.
02:09
Dirt. If t i t
02:12
a place i d
02:14
The fourth thing is the serial number
02:17
the fifth again, The time
02:20
off the event.
02:23
Not necessarily the same
02:27
six.
02:29
We're gonna be seeing
02:30
fire while I pee or what? It seems to be the farm while I pee.
02:37
Seventh
02:38
will be looking at the message. Now, this will change based on the tool, the application applying. So you gotta be careful of this right
02:47
now. Afterwards will be seen the source I p
02:52
right, followed by sore sport
02:55
and what we can call maybe the type of connection and I apologize for typos over there,
03:06
and that's a cola type
03:07
hurt.
03:08
And then basically, this same parameters are repeated for this nation. So it will be the destination I p
03:15
the destination poured
03:20
wth e type. If you want to call it that, I apologize again.
03:29
Type of connection and
03:30
good.
03:35
Now, afterwards, in some of these looks, I'll surely also CIA protocol with the protocol.
03:40
Ah, port. So let's site here particle
03:45
and port.
03:46
So after you got all of these, you have to consider what exactly
03:52
you want to see when you're building your attics is when you're gathering data and you won't use all of them. He will most likely be using the message really important. You need to know what you're doing or what the applications of the system is doing, right.
04:06
So you also need the time.
04:10
Otherwise you won't be able to do any correlation. Most likely also did the source. And at the station you need to know what being targeted
04:16
in the attack
04:18
like animation earlier. The message is also highly important. You need to know what's happening in order to be able to test it right now.
04:28
Give it a minute
04:30
What else do you need?
04:30
No.
04:31
If this is the only thing you're watching,
04:33
that should do it. However,
04:35
if I ever infrastructure, let's say you pulling this into a s. I am that you also need the I d or the type of appliance, right? Something that lets me
04:45
validate or see what it's this bringing the data in right? And why do I say this? You want to make sure you don't confuse the fire warlocks with windows Event logs, for example, also for infrastructure has several of the does this device the Syrian A. Knock, for example. Then you will need the device name in order to be able to trigger correlate
05:03
which activities being targeted in which it's an external or external
05:08
for our, for the purpose of this lesson will concentrate in these first. For that first mentioned, It's like a little space here, and let's start building on register four time
05:20
now you can see time. It's mentioned twice here in the beginning, Indian likened mentioned earlier 1st 1 It's mostly related
05:28
to when the event comes in. If you can see most of them have very, very similar types time, especially this to However, when you compared these to the time stamps on the right, you can see the actual a few seconds between them. There's most likely it's the cost that
05:41
even though the events happened in a constant matter, maybe 234 in the second. Let's say you just put out numbers.
05:47
You might not be pulling these records instantly, and you might be pulling a millisecond intervals of five minutes, 10 minutes, 15 minutes, maybe once a day. And that's why you have to be really careful in which time stamp you use. When you were referring to time for the purpose of ethics class. Obviously, what? We're gonna concentrate on the actual time stamp off the event?
06:08
No, it's in prior lessons
06:10
if we want to capture it. Attempts always important to look
06:14
to what is behind and what it's afterwards. We want to capture, and we actually want to build our Reddick space on that.
06:20
So let's try something here. Try to build it, Reg IX as much as we can. We don't actually having to type it into the cheat cheat, right?
06:29
So first of all, Sierra number, right. We break this symbol
06:32
and we type slashed devil plants that waits work since his attributes and letters followed by a space. Right
06:40
now, let's feel what's afterwards.
06:43
So what's afterwards? It's the far wall, right? Far Will it be so again to space? Far will break the symbol. And this case, it's an I p. So we use the formula for the I. P is correct,
06:55
but you don't really need to go that far. Just with the f w should be more than enough.
07:01
So now let's try to figure out how to write this little portion over here to portion it the actual time on it.
07:09
No,
07:10
Like I mentioned prior classes and basically the whole course, there's more than one way to capture this weaken focus. End up,
07:16
uh, digits. If you want to call it that way, you know, for to To To to to write for for the year two for the day in the Mont and then to four hours, minutes and seconds and you can see here can also have another turn of using while carts.
07:31
Right? And you guys use kept the whole book with a walk hard. So let's try this first, right?
07:41
Let's say you're gonna have to write. And this is the 1st 1 Is this actually very commonly used in most of my activities? And you're going to see this immediately? Capture once I pace to here. Perfect, Right?
07:55
No,
07:57
remember, if you're doing this, you wanna actually capture the specific content which will be here,
08:03
Uh, sorry from wreck it
08:05
the area. Otherwise, you'll be captured the whole string of deer. So again, this is more towards when you do it in s I am so not necessarily when you do d o p or a double Louis. Say, right, this is more when you want to capture a segment off the whole Ridge IX.
08:22
You might also be required to do this in forensic tools, but
08:26
I have not encountered that aspect first. I'm mostly used for in six for keyword searches.
08:31
Now, let's try to you the 2nd 1
08:37
for it is right. We actually have to use the word time,
08:41
right? And And just to be honest, we can also use time for the walk hard.
08:46
Um, but it's just, you know, we're trying to practise different concentrator and that one very important thing it's in order to reduce the amount of the data for you. For example, we were capturing time. And we just want to capture this segment that we actually have to put also de quotations in here. Okay,
09:03
so
09:05
you gotta be very careful. Like I said,
09:09
we'll build it as s Miguel's. Obviously, there might be chances off what we record to troubleshoot. So let's update this right here
09:16
and let's cover the 2nd 1 and built a 2nd 1 together.
09:20
Now, Like I said earlier, we're gonna focus in the in the digits. And obviously, as we focus on the digital need to break these special symbols,
09:28
we're gonna keep this in here
09:31
again. This use focus on building, and then we can move to have brackets out.
09:37
No, actually, no. Never mind. Let's just not completely
09:39
I just need them. And that started to write
09:43
the magics again.
09:46
Since you already know howto build him
09:48
from the previous one, we're just gonna literally right thumb from here. So it's four digits for a year
09:54
and then being lazy, let's copy paste is and then two digits for
10:00
the day flash month. So this copy paste is twice
10:03
right, and it once you eliminate the symbol
10:07
Boom. There's the date.
10:09
Now I want to add a space right and that we could do it with the time of the day.
10:15
So it's too
10:16
All right. So paste it
10:18
break the symbol for colon
10:20
two for minutes on. That's at seconds. And there we go. And like in our previous instance, right
10:26
for the brackets. Put something afterwards in order to reduce the amount of errors. Yes. You can put the, uh, equal symbol you can leave it out
10:37
again, will practice in different concepts in order to get the best out of this course.
10:43
Now, once you get here,
10:46
you basically have to implement little brackets, like always. If you're a s i e. M type of environment.
10:54
So we would put this around here
10:58
and
11:01
here if you want to capture the date.
11:03
And here
11:05
and
11:07
here, if you want to capture the time
11:09
Now,
11:11
when you have these two, basically
11:13
you allowed to do this and you can just separated in your suffer and capture groups. Right?
11:18
Um however, let me show you. Actually, this is curator. This is Ah. Scient might personally uses an image from Google,
11:26
and you can see here in the bottom, left his capture group So you can tell him, Hey, I want you to cover the first group or the second group,
11:33
and, uh, that's basically house changes.
11:37
Now the theme would capture groups. Is that like an mentioned prior instances, it is way better to write to sink Texas instead of one again.
11:46
It's easy here for the software and the appliance to Reed's two separate sentences of Red X is off then one. It's just the appliance I've personally used.
11:58
Maybes belong. Maybe tools that I have not personally used might be ableto work differently, but again that once I have used worked like this.
12:07
So let's go back here.
12:09
And basically
12:11
I believe that's it. You already know how to capture either the time or a date, and you can basically break it to telling it the capture group.
12:18
Let's go over more. No more sources. In a few seconds

Up Next

Regex

In this course you'll learn the basics of regular expressions, also known as Regex. As a professional you will understand when it is beneficial to use Regex and when it's not, how to construct Regex, and how to read Regex built by other professionals.

Instructed By

Instructor Profile Image
Kevin Hernandez
Instructor