A repo to centralize some of the regular expressions I've found useful over the course of my DFIR career. I get sick of hunting down regular expressions all the time so this is my attempt to centralize it not only for myself, but also for others.
Regex101 links were included for the purpose of showing the expected hits when using the regular expressions prior to using them for your own purposes.
| Title | Regex | Regex101 | Links/Source |
|---|---|---|---|
| Age (Under 18) | ^(0?[1-9]{1}|[1]{1}[0-7]{1})(\s|[-])?(y(\s?)o|yr([sz]?)|year([sz]?)((\s|[-])?(old)?)|y)((\s?|[-])(old)?)$ |
Regex101 | Digital Forensics Discord Server user jball77 |
| BASE64 | ^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}\=|[A-Za-z0-9+/]{3}=)?$ |
TBD | TBD |
| Credit Card Numbers | (^4[0-9]{12}(?:[0-9]{3})?$)|(^(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}$)|(3[47][0-9]{13})|(^3(?:0[0-5]|[68][0-9])[0-9]{11}$)|(^6(?:011|5[0-9]{2})[0-9]{12}$)|(^(?:2131|1800|35\d{3})\d{11}$) |
Regex101 | IHateRegex |
| Cut Folder Hierarchy | .+(?=((\|\/).+){2}) |
Regex101 | RegexLib |
| Email Addresses | (([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})(\]?)(\s*;\s*|\s*$))* |
Regex101 | StackOverflow |
| Filenames (Short/Suspicious) | ^[\w,\s-]{1,3}\.[a-zA-Z0-9]{2,4}$ |
Regex101 | RegexTester |
| Hash - MD5 | [a-fA-F0-9]{32} |
TBD | TBD |
| Hash - SHA1 | [a-fA-F0-9]{40} |
TBD | TBD |
| Hash - SHA256 | [a-fA-F0-9]{64} |
TBD | TBD |
| Hash - SHA512 | [a-fA-F0-9]{128} |
TBD | TBD |
| Hex | /^#?([a-f0-9]{6}|[a-f0-9]{3})$/ |
TBD | TBD |
| IPv4 | \b(?:(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\.){3}(?:25[0-5]|2[0-4][0-9]|1[0-9][0-9]|[1-9]?[0-9])\b |
Regex101 | bstrings |
| IPv4 (External Only) | \b(?!0\.)(?!10\.)(?!100\.6[4-9]\.)(?!100\.[7-9]\d\.)(?!100\.1[0-1]\d\.)(?!100\.12[0-7]\.)(?!127\.)(?!169\.254\.)(?!172\.1[6-9]\.)(?!172\.2[0-9]\.)(?!172\.3[0-1]\.)(?!192\.0\.0\.)(?!192\.0\.2\.)(?!192\.88\.99\.)(?!192\.168\.)(?!198\.1[8-9]\.)(?!198\.51\.100\.)(?!203.0\.113\.)(?!22[4-9]\.)(?!23[0-9]\.)(?!24[0-9]\.)(?!25[0-5]\.)(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\b |
Regex101 | StackOverflow |
| IPv6 | (([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])) |
Regex101 | RegexTester |
| MAC Address | ^([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})$ |
Regex101 | StackOverflow |
| Passwords | ^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$ %^&*-]).{8,}$ |
Regex101 | IHateRegex |
| Phone Numbers | ^(\+\d{1,2}\s)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$ |
Regex101 | StackOverflow |
| URLs | (https?:\/\/)?(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()!@:%_\+.~#?&\/\/=]*) |
Regex101 | mathiasbynens.be URL Spec IHateRegex |
| US Social Security Numbers | ^(?!0{3})(?!6{3})[0-8]\d{2}-(?!0{2})\d{2}-(?!0{4})\d{4}$ |
Regex101 | IHateRegex |
| Username (Discord) | ^.{3,32}#[0-9]{4}$ |
Regex101 | IHateRegex |
- https://www.regular-expressions.info/ - probably the best resource for regex that I've found yet! Made by the author of PowerGREP and EditPad Pro
- https://regex101.com/ - great for testing regular expressions
- https://regexr.com/ - serves as a regex IDE
- https://www.mockaroo.com/ - great for generating fake data to test regex