1
00:00:00,720 --> 00:00:04,650
I have heard about regular expressions popping up on the exam a lot.

2
00:00:05,720 --> 00:00:09,650
Why do you need to know about regular expressions for the cyber ops exam.

3
00:00:09,650 --> 00:00:12,820
Well that's because they're used in programming languages.

4
00:00:12,890 --> 00:00:16,910
IPX signatures and data search tools.

5
00:00:17,300 --> 00:00:23,020
Regular expressions are a sequence of characters that define a search pattern.

6
00:00:23,030 --> 00:00:27,800
Think of them as just a really easy way to summarize information.

7
00:00:27,890 --> 00:00:34,580
So if you wanted to match all of the public IP addresses on the Internet in an IPX rule instead of listening

8
00:00:34,580 --> 00:00:41,690
each of them you could use a regular expression to only match the desired IP addresses with a few lines

9
00:00:42,080 --> 00:00:43,790
instead of thousands.

10
00:00:43,790 --> 00:00:48,220
This would keep the rule short and well organized.

11
00:00:48,230 --> 00:00:52,570
Let's take a look at how they can be used for IPX signature rules.

12
00:00:53,760 --> 00:00:59,300
Let's say I wanted to block any traffic that had the word hello in the payload.

13
00:00:59,940 --> 00:01:05,100
That may sound easy enough but there are many ways to answer the word Hello.

14
00:01:05,130 --> 00:01:11,160
How would I know which characters were lowercase or uppercase to match every variant of the word.

15
00:01:11,580 --> 00:01:18,090
Well if I used a regular expression like the one seen here with one line I can match the word hello

16
00:01:18,090 --> 00:01:18,790
presented.

17
00:01:18,810 --> 00:01:23,700
In any case here's another good example.

18
00:01:23,700 --> 00:01:31,060
For if we wanted to match a h t t p u r i containing bad word in any form.

19
00:01:32,990 --> 00:01:39,140
So now that you have a basic understanding of what the point of regular expressions are let's hop into

20
00:01:39,170 --> 00:01:45,000
my Lumix lab and we'll use regular expressions to search within the Linux system.

21
00:01:46,500 --> 00:01:51,880
So on my Linux machine on the desktop I have this file called malware.

22
00:01:52,030 --> 00:01:58,630
And if I open it up I have some text that says malicious file.

23
00:01:58,620 --> 00:02:04,140
And one two three four or five and I just threw in some tax just so that we had something within the

24
00:02:04,140 --> 00:02:06,140
file to search for.

25
00:02:06,360 --> 00:02:17,490
With our regular expressions I put my terminal and how you can search for characters within Linux as

26
00:02:17,490 --> 00:02:28,880
with the Gruppe command the grop command stands for Global regular expression print saw say look for

27
00:02:28,880 --> 00:02:37,190
anything with the Word file all lowercase and you have to put brackets around your regular expressions

28
00:02:37,430 --> 00:02:38,520
when you're defining them.

29
00:02:40,400 --> 00:02:43,880
In the file located on my desktop named malware.

30
00:02:43,880 --> 00:02:54,540
So this is going to search this file for the word file case so as you can see it did not find the word

31
00:02:54,660 --> 00:03:03,600
file in all lowercase and I showed you that the words malicious file were in the malware file on my

32
00:03:03,600 --> 00:03:04,200
desktop.

33
00:03:04,200 --> 00:03:06,550
So what are we missing here.

34
00:03:06,720 --> 00:03:15,290
Well like the example I showed you with the word Halo and matching lowercase or uppercase if you remember

35
00:03:15,590 --> 00:03:22,320
the word file had a uppercase Salumi just put uppercase and see if we find it this time.

36
00:03:23,400 --> 00:03:24,420
So there you go.

37
00:03:24,450 --> 00:03:30,340
It was able to search through that file and display the line with the word file in.

38
00:03:30,350 --> 00:03:39,040
So if I didn't remember if it was lowercase or uppercase I could use square brackets and put both lowercase

39
00:03:39,050 --> 00:03:45,410
in uppercase and then when to search for the word file it would check for both file starting with lowercase

40
00:03:45,700 --> 00:03:47,130
an uppercase of.

41
00:03:47,300 --> 00:03:50,540
So let's run this and see if it finds at this time.

42
00:03:50,540 --> 00:03:50,930
And there you go

43
00:03:54,350 --> 00:03:54,710
OK.

44
00:03:54,720 --> 00:03:58,600
So Knox let's search for the numbers within the malware file.

45
00:04:03,690 --> 00:04:07,050
So let's say What if I do one two three four five

46
00:04:10,360 --> 00:04:15,040
and then what if I saw that one two three four five six you can see that it did not match.

47
00:04:15,070 --> 00:04:19,590
Because when you're just defining the actual text it has to be exact.

48
00:04:19,720 --> 00:04:30,450
But if I were to use square brackets and say 1 through 6 then it's going to look and show me and the

49
00:04:30,450 --> 00:04:35,650
line that has any number 1 through 6.

50
00:04:35,760 --> 00:04:42,880
So if I did like 6 through 9 as you can see it did not show any results because I did not match the

51
00:04:42,880 --> 00:04:44,480
line.

52
00:04:44,480 --> 00:04:49,180
Now I just want to show you a few other common regular expression commands.

53
00:04:52,210 --> 00:04:55,810
The care command is used to map the beginning of a string.

54
00:04:55,810 --> 00:05:07,040
So I could say look through this file and find anything that starts with male so inserts that file.

55
00:05:07,190 --> 00:05:10,670
And since this line started with mail it displayed

56
00:05:14,320 --> 00:05:16,260
well through A-L.

57
00:05:17,140 --> 00:05:24,060
You can see it did not work because this is only for at the very beginning of the line in other hand

58
00:05:24,060 --> 00:05:29,530
the regular expression is the dollar sign which matches the end of a line.

59
00:05:29,780 --> 00:05:40,900
So I could say anything in this file and with the number five match as a regular expression as you can

60
00:05:40,900 --> 00:05:43,570
see it matched the string of one two three four or five.

61
00:05:43,570 --> 00:05:51,490
Now if I did four it's not going to work because it's starting from there right at the end and working

62
00:05:51,490 --> 00:05:53,420
its way in.

63
00:05:53,440 --> 00:06:01,060
So if I were to put four or five then that would be an acceptable match with the dollar sign.

64
00:06:01,060 --> 00:06:04,300
Regular expression to match the end of any string

65
00:06:07,090 --> 00:06:07,370
OK.

66
00:06:07,370 --> 00:06:12,030
Now you should have a basic understanding of how you can use regular expressions.

67
00:06:12,030 --> 00:06:20,100
I have included some links as resources with this lecture that you can use to review to help you prepare

68
00:06:20,100 --> 00:06:21,310
for the exam.