Skip to main content

Alternative of negative lookahead

  • October 24, 2024
  • 5 replies
  • 66 views
A
Forum|alt.badge.img+7

srcip=(?!(10[.]|172[.](?:1[6-9]|2[0-9]|3[0-1])[.]|192[.]168[.]))

Negative lookahead (?!) is not supported by re2 in google secops. 
I need an alternative for this. To filter out if the srcip is public. 
How can I achieve this in one single line regex?

Can anyone help me? 
@AymanC  ?

5 replies

maxjunker
Forum|alt.badge.img+4
  • maxjunkerBronze 4
  • Bronze 4
  • October 24, 2024

Hi @anurag.q.singh , 

did I get you right that you want to select the public IPs?

 

I would go for an negativ/excluding regex like this: 

 
not(re.regex(principal.ip, `^(10\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|192\\.168\\.\\d{1,3}\\.\\d{1,3}|172\\.(1[6-9]|2[0-9]|3[0-1])\\.\\d{1,3}\\.\\d{1,3})$`))
    A
    Forum|alt.badge.img+7

    yes you got me right. but I don't want to use any function like re.regex or anything. just a plain regex expression

    AymanC
    Forum|alt.badge.img+13
    • AymanCBronze 5
    • Bronze 5
    • October 24, 2024

    Hi @anurag.q.singh,

    For standardisation and effenciency, I would reccomend setting up a reference list containing the CIDRs relating to public IPS, then within your rule logic doing the following:

    rule ayman_cidr_reference_list_example { meta: author = "Ayman c" events: $e.metadata.event_type = "USER_CREATION" not $e.src.ip in cidr %Public_Ips_CIDR condition: $e }

     

    Kind Regards,

    Ayman C

      JeremyLand
      Staff
      Forum|alt.badge.img+7
      • JeremyLand
      • Staff
      • October 24, 2024

      Another option, in addition to the not re.regex() and cidr reference list options already presented, would be to implement this with the net.ip_in_range_cidr() function

      net.ip_in_range_cidr($event.principal.ip, "10.0.0.0/8") or  net.ip_in_range_cidr($event.principal.ip, "172.16.0.0/12") or  net.ip_in_range_cidr($event.principal.ip, "192.168.0.0/16")

      Function Doc: https://cloud.google.com/chronicle/docs/detection/yara-l-2-0-syntax#netip_in_range_cidr

      Blog with examples: https://www.googlecloudcommunity.com/gc/Community-Blog/New-to-Google-SecOps-Fall-is-the-perfect-time-for-CIDR/ba-p/733381

       

      A
      Forum|alt.badge.img+7

      Is there any alternative for the negation statement (?!)

      srcip=(?!(10[.]|172[.](?:1[6-9]|2[0-9]|3[0-1])[.]|192[.]168[.]))

      I want a single regex expression to suffice my purpose. No function nothing. 
      Since I need this for log filtering. 

      Thanks for your help in advance. 

      Terms & ConditionsCookie settingsAccessibility statement
      Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

      © 2025 Google. All rights reserved.