AndrewRathbun/DFIRRegex

# DFIRRegex 一个旨在集中整理我在 DFIR 职业生涯中发现有用的正则表达式的仓库。我厌倦了总是到处寻找正则表达式，所以这是我尝试不仅为自己，也为其他人进行集中整理。 包含 Regex101 链接是为了在使用这些正则表达式之前，展示其预期的匹配结果。 # 实用的正则表达式 | 标题 | 正则表达式 | Regex101 | 链接/来源 | |---|---|---|---| | 年龄 (18岁以下) | `^(0?[1-9]{1}\|[1]{1}[0-7]{1})(\s\|[-])?(y(\s?)o\|yr([sz]?)\|year([sz]?)((\s\|[-])?(old)?)\|y)((\s?\|[-])(old)?)$` | [Regex101](https://regex101.com/r/oL1Cgs/1) | Digital Forensics Discord Server 用户 `jball77` | | BASE64 | `^(?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{4}\|[A-Za-z0-9+\/]{3}=\|[A-Za-z0-9+\/]{2}==)$` | [Regex101](https://regex101.com/r/mEaBsx/1) | [issue #3](https://github.com/AndrewRathbun/DFIRRegex/issues/3) | | 信用卡号 | `(^4[0-9]{12}(?:[0-9]{3})?$)\|(^(?:5[1-5][0-9]{2}\|222[1-9]\|22[3-9][0-9]\|2[3-6][0-9]{2}\|27[01][0-9]\|2720)[0-9]{12}$)\|(3[47][0-9]{13})\|(^3(?:0[0-5]\|[68][0-9])[0-9]{11}$)\|(^6(?:011\|5[0-9]{2})[0-9]{12}$)\|(^(?:2131\|1800\|35\d{3})\d{11}$)` | [Regex101](https://regex101.com/r/HeuLIg/2/) | [IHateRegex](https://ihateregex.io/expr/credit-card) | | 剪切文件夹层级 | `.+(?=((\\|\/).+){2})` | [Regex101](https://regex101.com/r/pS5urG/1) | [RegexLib](https://regexlib.com/REDetails.aspx?regexp_id=12777) | | 电子邮件地址 | `(([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)\|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}\|[0-9]{1,3})(\]?)(\s*;\s*\|\s*$))*` | [Regex101](https://regex101.com/r/qf1qdh/2) | [StackOverflow](https://stackoverflow.com/questions/9809357/regex-for-validating-multiple-e-mail-addresses) | | 获取第一个逗号前的所有内容 | `^.[^,]*(?=(\,))` | [Regex101](https://regex101.com/r/e5N4qz/1) | 不适用 | | 文件名 (包含扩展名) | `[^\\\/:*?"<>\|\r\n]+$` | [Regex101](https://regex101.com/r/qsXeQ3/1) | [Regular Expressions Cookbook](https://www.amazon.com/Regular-Expressions-Cookbook-Solutions-Programming/dp/1449319432) | | 文件名 (短/可疑) | `^[\w,\s-]{1,3}\.[a-zA-Z0-9]{2,4}$` | [Regex101](https://regex101.com/r/MCNzMw/2) | [RegexTester](https://www.regextester.com/104048) | | 哈希 - MD5 | `[a-fA-F0-9]{32}` | 待定 | 待定 | | 哈希 - SHA1 | `[a-fA-F0-9]{40}` | 待定 | 待定 | | 哈希 - SHA256 | `[a-fA-F0-9]{64}` | 待定 | 待定 | | 哈希 - SHA512 | `[a-fA-F0-9]{128}` | 待定 | 待定 | | 十六进制 | `/^#?([a-f0-9]{6}\|[a-f0-9]{3})$/` | 待定 | 待定 | | IPv4 | `\b(?:(?:25[0-5]\|2[0-4][0-9]\|1[0-9][0-9]\|[1-9]?[0-9])\.){3}(?:25[0-5]\|2[0-4][0-9]\|1[0-9][0-9]\|[1-9]?[0-9])\b` | [Regex101](https://regex101.com/r/Yj3q6l/1) | [bstrings](https://github.com/EricZimmerman/bstrings/blob/d95a1ad3972ba3857218561a0e1929762ebab65f/bstrings/Program.cs#L876) | | IPv4 (仅外部) | `\b(?!0\.)(?!10\.)(?!100\.6[4-9]\.)(?!100\.[7-9]\d\.)(?!100\.1[0-1]\d\.)(?!100\.12[0-7]\.)(?!127\.)(?!169\.254\.)(?!172\.1[6-9]\.)(?!172\.2[0-9]\.)(?!172\.3[0-1]\.)(?!192\.0\.0\.)(?!192\.0\.2\.)(?!192\.88\.99\.)(?!192\.168\.)(?!198\.1[8-9]\.)(?!198\.51\.100\.)(?!203.0\.113\.)(?!22[4-9]\.)(?!23[0-9]\.)(?!24[0-9]\.)(?!25[0-5]\.)(([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5])\.([0-9]\|[1-9][0-9]\|1[0-9]{2}\|2[0-4][0-9]\|25[0-5]))\b` | [Regex101](https://regex101.com/r/Ct1khx/1) | [StackOverflow](https://stackoverflow.com/questions/33453057/regex-to-only-match-public-ipv4-address) | | IPv6 | `(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,7}:\|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}\|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}\|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}\|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}\|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}\|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})\|:((:[0-9a-fA-F]{1,4}){1,7}\|:)\|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}\|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]\|(2[0-4]\|1{0,1}[0-9]){0,1}[0-9]))` | [Regex101](https://regex101.com/r/elIUjL/1) | [RegexTester](https://www.regextester.com/25) | | MAC 地址 | ` ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$` | [Regex101](https://regex101.com/r/TotZcR/1) | [StackOverflow](https://stackoverflow.com/questions/4260467/what-is-a-regular-expression-for-a-mac-address) | | 密码 | ` ^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$ %^&*-]).{8,}$` | [Regex101](https://regex101.com/r/XQ4S1b/1) | [IHateRegex](https://ihateregex.io/expr/password/) | | 电话号码 | `^(\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$` | [Regex101](https://regex101.com/r/2OLXcu/1) | [StackOverflow](https://stackoverflow.com/a/16699507/15393449) | | Qakbot C2 | `(http\|https).*\:[0-9]{2,5}\/t5` | 待定 | [Twitter](https://twitter.com/Kostastsale/status/1594902025334321154?t=sGcife-eJnyRfqc8-5hHag&s=19) | | 删除文档中每行的尾部反斜杠 | `\\+$` | [Regex101](https://regex101.com/r/qayALM/1) | | | URL | `(https?:\/\/)?(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()!@:%_\+.~#?&\/\/=]*)`| [Regex101](https://regex101.com/r/GeH6XU/1) | [mathiasbynens.be](https://mathiasbynens.be/demo/url-regex) [URL 规范](https://url.spec.whatwg.org/#parsing) [IHateRegex](https://ihateregex.io/expr/url) | | 有效 URL (排除上述误报) | `\b((ht\|f)tp(s)?:\/\/\|www\.)+[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9]{2,}((\/)?([-a-zA-Z0-9@:%_\+.~#?&\/=]*)?)\b` | [Regex101](https://regex101.com/r/cQYupX/3/) | `jball77` | | 美国社会安全号码 | `^(?!0{3})(?!6{3})[0-8]\d{2}-(?!0{2})\d{2}-(?!0{4})\d{4}$` | [Regex101](https://regex101.com/r/XDAlwg/1) | [IHateRegex](https://ihateregex.io/expr/ssn/) | | 用户名 (Discord) | `^.{3,32}#[0-9]{4}$` | [Regex101](https://regex101.com/r/bXCZn7/1) | [IHateRegex](https://ihateregex.io/expr/discord-username/) | # 正则表达式资源 * https://www.regular-expressions.info/ - 可能是我迄今为止发现的最好的正则表达式资源！由 [PowerGREP](https://www.powergrep.com/) 和 [EditPad Pro](https://www.editpadpro.com/) 的作者制作 * https://regex101.com/ - 非常适合测试正则表达式 * https://regexr.com/ - 可作为正则表达式 IDE 使用 * https://www.mockaroo.com/ - 非常适合生成用于测试正则表达式的虚假数据

标签：Base64解码, 信用卡匹配, 字符串处理, 对抗攻击, 情报分析, 敏感信息检测, 数字取证, 数据展示, 数据提取, 文本挖掘, 模式匹配, 电子邮件提取, 红队, 网络安全, 网络诊断, 自动化分析, 自动化脚本, 自动化资产收集, 跨站脚本, 隐私保护