regex

Parse and transform variables using regular expressions. For more information about regular expressions and regex syntax see Python Regex.

Note

This command does not modify RESULT_STDOUT.

The following example extracts a port number from the output of a shell command and stores it in the variable UNREALPORT:

commands:
  - type: shell
    cmd: echo "6667/tcp open  irc UnrealIRCd"

  - type: regex
    cmd: (\d+).*UnrealIRCd
    output:
        UNREALPORT: "$MATCH_0"

  - type: debug
    cmd: "Port: $UNREALPORT"

Using mode: split, a string can be tokenized by a delimiter, in this case, whitespace "\ +":

commands:
  - type: shell
    cmd: echo "6667/tcp open  irc UnrealIRCd"

  - type: regex
    cmd: "\ +"
    mode: split
    output:
        # {'MATCH_0': '6667/tcp', 'MATCH_1': 'open', 'MATCH_2': 'irc', 'MATCH_3': 'UnrealIRCd\n'}
        UNREALPORT: "$MATCH_0"

  - type: debug
    cmd: "Port: $UNREALPORT"
cmd

The regular expression pattern to apply.

Type:

str

Required:

True

mode

The Python regex function to use. One of:

  • findall - find all non-overlapping matches

  • search - find the first match anywhere in the string

  • split - split the string by occurrences of the pattern

  • sub - replace occurrences of the pattern with replace

Type:

str

Default:

findall

Required:

False

replace

This variable must be set for mode: sub. It holds the replacement-string for the substitution.

Type:

str

Default:

None

Required:

when mode: sub

commands:
  - type: setvar
    cmd: "hello world"
    variable: FOO

  - type: regex
    cmd: hello
    replace: whaat
    mode: sub
    input: FOO
    output:
      BAR: $MATCH_0

  - type: debug
    cmd: $BAR
input

Name of the variable whose value will be used as the regex input (without the leading $).

Type:

str

Default:

RESULT_STDOUT

Required:

False

output

Mapping of variable names to match references (e.g. MYVAR: $MATCH_0).

Type:

dict[str,str]

Required:

True

Matches are indexed as $MATCH_0, $MATCH_1, etc. For nested results (lists of tuples), matches are indexed as $MATCH_0_0, $MATCH_0_1, etc.

If the pattern does not match, no output variables are set. If sub or split find no match, the original input string is returned.

The builtin variables REGEX_MATCHES_LIST is also populated with a list of all matches whenever the command produces results.

Note

Running AttackMate in debug mode (–debug) prints a full dump of all matches.