I am trying to figure out what end of anchor parameter to use for the Symantec event
Here is a snippet of the Symantec event:
Application hash: 4a3c0caeaf4bef6a170e3d031f7181901464ff8271639bab1641465e6f97e000,Hash type: SHA2,Company name: ,Application name: Mac Cleanup Pro,Application version: ,Application type: -1,File size (bytes): 196640,Category set: Security risk,Category type: UNKNOWN,Location: ,Intensive Protection Level: 0,Certificate issuer: ,Certificate signer: ,Certificate thumbprint: ,Signing timestamp: 0,Certificate serial number:
Here is my regex:
(?:Application\shash:\s*(?[^"]+)),?(?:Hash\stype:\s*(?[^"]+)),?(?:Application\sname:\s*(?[^"]+)),?(?:Application\sversion:\s*(?[^"]+)),?(?:File\ssize\s\(bytes\)\s*(?[^"]+)),?(?:Category\sset:\s*(?[^"]+)),?(?:Category\stype:\s*(?[^"]+)),?(?:Location:\s*(?[^"]+)),?(?:Intensive\sProtection\sLevel:\s*(?[^"]+)),?(?:Certificate\sissuer:\s*(?[^"]+)),?(?:Certificate\ssigner:\s*(?[^"]+)),?(?:Certificate\sthumbprint:\s*(?[^"]+)),?(?:Signing\stimestamp:\s*(?[^"]+)),?(?:Certificate\sserial\snumber:\s*(?[^"]+))\z
I tried '$' and '\Z', but no luck getting the entire regex to match. If I leave the end of my regex as:
?(?:Certificate\sserial\snumber:\s*(?[^"]+))?
The Group `Signing_Timestamp` is `0,Certificate serial number:` so I know the regex is working up till the very end
Any help would be appreciated
Thx
↧