A list of regex expressions which are used to:
- Filter firewall logs
- Perform bulk operations on rules with VSCode.
For example once your regex hits, you would use CTRL + SHIFT + L
to enter Multi cursor
mode and manipulate all regex matches however you like.
Reserved regex characters that must be escaped: [ ] ( ) . \ ^ $ | ? * + { }
- Regex expressions for quick reference
- Table of Contents
- Filterline
- Firewall rules
- Get -DisplayName parameter and it's value
- Get platform
- Get group
- Get Interface
- Get policy store
- Get Profile property if value also contains variable names
- Direction protocol pairs
- Get local and remote port parameters and values
- Get mapping pairs and their values
- Get LocalUser and EdgeTraversalPolicy
- Get local and remote IPv6 address only in any notation
- Get local and remote IPv4 address only in any notation
- Get owner and package for store app
- Get enabled or action flag
- Random regexes
- File system path validation
- File path selection
- URL validation
- DACL validation
- UNC validation
- UPN validation
- User profile validation
- File extension
- File name
- NETBIOS name
- System environment variable
- Email validation
- IPv6 validation
- IPv4 validation
- Match comment block in script
- SHA1 thumbprint validation
- GUID validation
Filterline regexes are to be used in .vscode\filterline.json
to filter out firewall logs.
Note that the syntax for filterline regex expressions is java script.
"DROP TCP.*([0-9]{1,3}\\.){3}[0-9]{1,3}\\s\\d+\\s(80|443)"
"DROP UDP.*([a-f0-9:]+:)+[a-f0-9]+\\s(547|546)"
"DROP UDP.*([0-9]{1,3}\\.){3}[0-9]{1,3}\\s(67|68)"
"DROP UDP.*([0-9]{1,3}\\.){3}[0-9]{1,3}\\s\\d+(?<!5353)\\s5353"
Note:
- Firewall rule examples here are shortened.
- Each regex includes an optional space at the end
In the example below multi cursor-ing all the matches in a script would allow to cut and paste all regex matches onto a second line by using CTRL + X, Down Arrow to move and CTRL + V.
New-NetFirewallRule -DisplayName "Interface-Local Multicast" -Service Any `
New-NetFirewallRule -DisplayName $_.Name -Service Any `
-DisplayName "(.*)"(?= -Service) ?
-DisplayName ("(.*)"|\$_\.\w+)(?= -Service) ?
-Platform $Platform
-Platform \$Platform ?
New-NetFirewallRule -Group $Group
New-NetFirewallRule -Group "Some rule group"
-Group (([\$|\w]\w+)|(".*")) ?
New-NetFirewallRule -InterfaceType $DefaultInterface
New-NetFirewallRule -InterfaceType "Wired, Wireless"
# TODO: is this valid? if yes regex needs update
New-NetFirewallRule -InterfaceType Wired, Wireless
-InterfaceType (([\$|\w]\w+)|(".*")) ?
-PolicyStore $PolicyStore
-PolicyStore [\$|\w]\w+ ?
New-NetFirewallRule -Profile Any
New-NetFirewallRule -Profile $DefaultProfile
New-NetFirewallRule -Profile Private, Domain
-Profile [\$|\w]\w+,? ?\w+ ?
New-NetFirewallRule -Direction $Direction -Protocol UDP
New-NetFirewallRule -Direction Inbound -Protocol 41
-Direction $Direction -Protocol ICMPv6 -IcmpType 12
-Direction $Direction -Protocol ICMPv4 -IcmpType 3:4
-Direction [\$|\w]\w+ -Protocol [\$|\w]\w+ ?
-Direction [\$|\w]\w+ -Protocol [\$|\w]\w+ -IcmpType \d+(:\d+)? ?
New-NetFirewallRule -LocalPort Any -RemotePort 547, 53
New-NetFirewallRule -LocalPort 546 -RemotePort IPHTTPSout
New-NetFirewallRule -LocalPort 22, 546-55, 54 -RemotePort Any
-LocalPort [\w&&,&&\-&& ]+ -RemotePort [\w&&,&&\-&& ]+ ?
New-NetFirewallRule -LocalOnlyMapping $false -LooseSourceMapping $false
New-NetFirewallRule -LocalOnlyMapping $true -LooseSourceMapping $false
-LocalOnlyMapping \$(false|true) -LooseSourceMapping \$(false|true) ?
# TODO: can also be function call for SDDL
New-NetFirewallRule -LocalUser $UsersGroupSDDL -EdgeTraversalPolicy DeferToApp
New-NetFirewallRule -LocalUser Any -EdgeTraversalPolicy DeferToApp
-LocalUser [\$|\w]\w+ ?
-LocalUser [\$|\w]\w+ -EdgeTraversalPolicy \w+ ?
New-NetFirewallRule -LocalAddress ff01::/16 -RemoteAddress Any
New-NetFirewallRule -LocalAddress Any -RemoteAddress ff01::2
-LocalAddress (?!.*\.)[\w&&:&&/]+ -RemoteAddress (?!.*\.)[\w&&:&&/]+ ?
New-NetFirewallRule -LocalAddress 224.3.0.44, 224.0.0.0-224.0.0.255, 224.3.0.44 -RemoteAddress Any
New-NetFirewallRule -LocalAddress LocalSubnet4 -RemoteAddress 224.3.0.44, 224.0.0.0-224.0.0.255
New-NetFirewallRule -LocalAddress LocalSubnet4 -RemoteAddress 224.3.0/24, 224.0/16-224.0.0.255
-LocalAddress (?!.*:)[,\.\w \-/]+ -RemoteAddress (?!.*:)[,\.\w \-/]+ ?
New-NetFirewallRule -Owner (Get-GroupSID "Administrators") -Package "*"
New-NetFirewallRule -Owner $Principal.SID -Package $PackageSID
-Owner [\$|\w](\w|\.)+(?= -Package) -Package [\$|\w](\w|\.)+ ?
-Owner (([\$|\w](\w|\.)+)|(\(.*\))) -Package ([\$|\w](\w|\.)+|".*") ?
-Enabled (True|False) ?
-Action (Allow|Block) ?
Here file extention must be either *.lnk
or *.url
'^[a-z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>.|\r\n]*(\.(lnk|url))*$'
Select path up to last directory, up to 3rd directory and last item respectively
".+?(?=\\.*)"
".+?(?=(\\.*\\*){3})"
"\\+(?:.(?!\\))+$"
Regex breakdown:
(
https?:\/\/(www\.)?
[a-zA-Z0-9@:%._\+~#=]{2,256}
\.[a-z]{2,6}
\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)
(\([^(]+\))?
)
"https?:\/\/(www\.)?[a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)"
Sample match:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb726984
"https?:\/\/(www\.)?[a-zA-Z0-9@:%._\+~#=]{2,256}\.[a-z]{2,6}\b([-a-zA-Z0-9@:%_\+.~#?&//=]*)(\([^(]+\))?"
Sample match:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/bb726984(v=technet.10)
DACL is part of SDDL string
"(D:\w*(\((\w*;\w*){4};((S(-\d+){2,12})|[A-Z]*)\))+){1}"
Universal Name Convention
"^\\\\[a-zA-Z0-9\.\-_]{1,}(\\[a-zA-Z0-9\-_\s\.]{1,}){1,}[\$]{0,1}"
Universal Principal Name
UPN name invalid characters: ~ ! # $ % ^ & * ( ) + = [ ] { } \ / | ; : " < > ? ,
Domain name portion:
"(?(\[)(\[(\d{1,3}\.){3}\d{1,3}\])|(([0-9a-zA-Z][-0-9a-zA-Z]*[0-9a-zA-Z]*\.)+[0-9a-zA-Z][-0-9a-zA-Z]{0,22}[0-9a-zA-Z]))$"
"^($env:SystemDrive\\?|\\)Users(?!\\+Public\\*)"
Invalid characters to name a directory: / \ : < > ? * | "
'\.[^./\\:<>?*|"]+$'
Invalid characters to name a file: / \ : < > ? * | "
'[^/\\:<>?*|"]+$'
The first character of the name must not be asterisk *
Any character less than a space (0x20) is invalid.
Microsoft allows the dot and space character may work too.
NETBIOS invalid characters: " / \ [ ] : | < > + = ; ,
"^([A-Z0-9\-_]\*?)+$"
Relaxed version for Windows:
"^([A-Z0-9a-z\-_\.\s]\*?)+$"
The first character of the name must not be numeric. A variable name may include any of the following characters:
A-Z, a-z, 0-9, # $ ' ( ) * + , - . ? @ [ ] _ ` { } ~
2 useful links:
Simple version:
([a-f0-9:]+:)+[a-f0-9]+
For more complex examples see Regular expression that matches valid IPv6 addresses
Simple version:
([0-9]{1,3}\.){3}[0-9]{1,3}
For regex below all credits to Validating IPv4 addresses with regexp
\b((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\.|$)){4}\b
function comment:
\<#[\s\S]+?(?=#\>)
ScriptInfo comment:
\<#PSScriptInfo[\s\S]+?(?=#\>)
28be82b2378753a06b6e097714c0fa754248fa48
Parameter validation:
^[0-9a-f]{40}$
Match in string:
\b[0-9a-f]{40}\b
For regex below all credits to Regex for Guid
[({]?(^([0-9A-Fa-f]{8}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{4}[-]?[0-9A-Fa-f]{12})$)[})]?