gomatch/Tokens at master · halafi/gomatch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#General
USERNAME ^[a-zA-Z0-9_-]+$
WORD ^\w+$
USER ^\w+$
CLASS [\.\-\w]+
LEVEL (ERROR|DEBUG|INFO|TRACE|WARN)
EMAIL ^[a-zA-Z0-9_-]+@[a-zA-Z0-9_-]
URI ^([a-zA-Z][a-zA-Z0-9]*)://
ANY .*
ANYTHING .*

#Numbers
IP ^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
NUMBER ^[0-9]+
PORT ^\d+$

#Date
TIME \d{1,2}:\d{1,2}:\d{1,2}
YEAR \d{4}
TIMESTAMP_ISO8601 ^(\d{4}-\d{2}-\d{2}T\d{2}\:\d{2}:\d{2})
DATE ^(\d{4}-\d{2}-\d{2}T\d{2}\:\d{2}:\d{2})
MONTH ^(Jan|January|Feb|February|Mar|March|Apr|April|May|Jun|June|Jul|July|Aug|August|Sep|September|Oct|October|Nov|November|Dec|December)

#auth.log
SYSLOGPROG ^(?:[\w._/-]+)\[[0-9]+\]
PAM_UNIX ^(pam_unix)\((cron|sshd):(auth|session)\)
RHOST rhost=\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(.|)[\.\-\w]+
[IP] ^\[\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\]