Solved: How can I escape the < > signs so that the token w...

jcorkey · ‎08-07-2017

I am trying to set a token to have the following regex value rex "by (?<SU>[^(]+)". This regex is part of a larger search string.

This line of code <set token="searchstring">| rex "by (?<SU>[^(]+)"</set> almost works but it is having problems with the < > signs surrounding the SU in the regex. Because of the <SU> it gets an "unexpected close tag" error.

How can I escape the < > signs so that the token will properly hold my regex with these symbols?

sbbadri · ‎08-07-2017

amp(&)gt; for>
amp(&)lt; for<

use ampersant symbol not string

View solution in original post

jkat54 · ‎08-07-2017

 ...| rex "by (?<SU>[^(]+)\"\<\/set"

Try the backslash for escaping pcre special characters (as shown above)

sbbadri · ‎08-07-2017

amp(&)gt; for>
amp(&)lt; for<

use ampersant symbol not string

jcorkey · ‎08-07-2017

I am confused about how to use what you wrote. Can you show an example?

sbbadri · ‎08-07-2017

i mean

ampersand_symbollt;suampersand_symbolgt;

jkat54 · ‎08-07-2017

&lt; = <
&gt; = >

cpetterborg · ‎08-07-2017

Actually it looks like the </set> might be the problem, since it has no place in the rex command (outside the double quotes). If you have other code that didn't make it properly into the question, then I could certainly be wrong.

How can I escape the < > signs so that the token will properly hold my regex with these symbols?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...