我正在解析snort规则,这些规则因拥有各种字符而臭名昭着。我试图替换的具体是前一个右括号前面的所有尾随空格,只有一个右括号:
简单的例子:
alert tcp any any -> any any (msg: "jons test"; flow: to_server,established; content:"/ui/"; nocase; content:"/getlatestversion?ver="; nocase; sid:1002496; rev:1; )
应该是:
alert tcp any any -> any any (msg: "jons test"; flow: to_server,established; content:"/ui/"; nocase; content:"/getlatestversion?ver="; nocase; sid:1002496; rev:1;)
我试过
string newRuleText = Regex.Replace(this.textBox1.Text, "s+\\)$", ")");
和
string newRuleText = Regex.Replace(this.textBox1.Text, "\\s+\\)$", ")");
但是newRuleText字符串仍然没有变化。
答案 0 :(得分:2)
问题与正确的正则表达无关。我执行了这个:
System.Text.RegularExpressions.Regex.Replace("alert tcp any any -> any any (msg: \"jons test\"; flow: to_server,established; content:\"/ui/\"; nocase; content:\"/getlatestversion?ver=\"; nocase; sid:1002496; rev:1; )","\\s+\\)$",")")
结果是:
"alert tcp any any -> any any (msg: \"jons test\"; flow: to_server,established; content:\"/ui/\"; nocase; content:\"/getlatestversion?ver=\"; nocase; sid:1002496; rev:1;)"
可能是")"不是字符串的最后一个字符。
您是否使用" \ s + \)"?
如果这样可行则问题与$和")"有关。不是最后一个字符