0

I was wondering how to create a regex that will match all ip addresses that start with 192.168.1.xxx I have been looking online and have not yet been able to find a match. Here is some some sample data that I am trying to match them from.

 /index.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://optiplex360/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://optiplex360/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://optiplex360/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://optiplex360/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:53 -0400] "GET /first HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.1 - - [30/Sep/2016:16:19:00 -0400] "GET /HNAP1/ HTTP/1.1" 404 204 "-" "-"
192.168.1.1 - - [30/Sep/2016:16:19:00 -0400] "GET / HTTP/1.1" 403 4897 "-" "-"
192.168.1.1 - - [30/Sep/2016:16:19:00 -0400] "POST /JNAP/ HTTP/1.1" 404 203 "-" "-"
192.168.1.1 - - [30/Sep/2016:16:19:00 -0400] "POST /JNAP/ HTTP/1.1" 404 203 "-" "-"
Dharman
  • 30,962
  • 25
  • 85
  • 135
Timhenn98
  • 39
  • 5
  • What have you tried? This is an easy task. In fact, you can locate such addresses by doing a simple non-regex search for "192.168.1.". By the way, you realize that private IPs include everything in "192.168.x.x", right? – Tim Roberts Apr 15 '21 at 23:31
  • 1
    To be fair @TimRoberts Private IP's are `10.0.0.0/8` `172.16.0.0/16` and `192.168.0.0/24`. Title is a tad misleading. Are we looking for a regex to match ANY private address? – PacketLoss Apr 15 '21 at 23:35
  • If we are being picky, the ranges are `10.0.0.0/8`, `172.16.0.0/12` and `192.168.0.0/16`. – Tim Roberts Apr 16 '21 at 00:12

3 Answers3

1

Here you go. Also, checkout https://regexr.com/

^192\.168\.1\.[0-9]{1,3}$

zerecees
  • 697
  • 4
  • 13
1

If you really only want to match '192.168.1.xxx', then you can use this regex to use this in python specifically: "192\.168\.1\.[0-9]{1,3}".

I personally recommend using regexr to get more familiar with regex. You can enter your data and on the left you can look at a cheatsheet to help you learn.

Vvamp
  • 414
  • 4
  • 12
0

I think here its best to use a combination of regex to grab any valid IP address from your data, row by row. Then use ipaddress to check if the address sits within the network you're looking for.

This will provide much more flexibility in the case you need to check different networks, instead of rewriting the regex every single time, you can create an ip_network object instead. We could also create multiple networks, and check for existence in all of them.

import ipaddress
import re

data =  '''/index.html HTTP/1.1" 404 208 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET / HTTP/1.1" 403 4897 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET /noindex/css/fonts/Light/OpenSans-Light.woff HTTP/1.1" 404 241 "http://optiplex360/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET /noindex/css/fonts/Bold/OpenSans-Bold.woff HTTP/1.1" 404 239 "http://optiplex360/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET /noindex/css/fonts/Light/OpenSans-Light.ttf HTTP/1.1" 404 240 "http://optiplex360/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:43 -0400] "GET /noindex/css/fonts/Bold/OpenSans-Bold.ttf HTTP/1.1" 404 238 "http://optiplex360/noindex/css/open-sans.css" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.142 - - [30/Sep/2016:16:18:53 -0400] "GET /first HTTP/1.1" 404 203 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0"
192.168.1.1 - - [30/Sep/2016:16:19:00 -0400] "GET /HNAP1/ HTTP/1.1" 404 204 "-" "-"
192.168.1.1 - - [30/Sep/2016:16:19:00 -0400] "GET / HTTP/1.1" 403 4897 "-" "-"
192.168.1.1 - - [30/Sep/2016:16:19:00 -0400] "POST /JNAP/ HTTP/1.1" 404 203 "-" "-"
192.168.1.1 - - [30/Sep/2016:16:19:00 -0400] "POST /JNAP/ HTTP/1.1" 404 203 "-" "-"'''

network = ipaddress.ip_network('192.168.1.0/24')

# Pattern that matches any valid ipv4 address
pattern = r'^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$'

for row in data.split():
    if (ip := re.search(pattern, row)):
        if ipaddress.IPv4Address(ip.group()) in network:
            print(f'{ip.group()} exists in {network}')

Output

192.168.1.142 exists in 192.168.1.0/24
192.168.1.142 exists in 192.168.1.0/24
192.168.1.142 exists in 192.168.1.0/24
192.168.1.142 exists in 192.168.1.0/24
192.168.1.142 exists in 192.168.1.0/24
192.168.1.142 exists in 192.168.1.0/24
192.168.1.1 exists in 192.168.1.0/24
192.168.1.1 exists in 192.168.1.0/24
192.168.1.1 exists in 192.168.1.0/24
192.168.1.1 exists in 192.168.1.0/24
PacketLoss
  • 5,561
  • 1
  • 9
  • 27