Is it possible to use a variable in a regex? - Page 1

#1 opoplawski 1 year ago

Is it possible to use a variable in a regex? I'm trying to do something like the following:

Exec if ($EventID == 4104) {
   if defined(get_var('scriptblockid')) {
      $id = get_var('scriptblockid');
      if ($Message =~ /ScriptBlock ID: $id/) drop();
   }
   if ($Message =~ /ClassName = 'Root\/Microsoft\/Windows/) {
       if ($Message =~/ScriptBlock ID: (\S+)/) {
           set_var('scriptblockid', $1);
       }
       drop();
   }
}

Permalink

#2 opoplawski 1 year ago

#1 opoplawski

Is it possible to use a variable in a regex? I'm trying to do something like the following: Exec if ($EventID == 4104) { if defined(get_var('scriptblockid')) { $id = get_var('scriptblockid'); if ($Message =~ /ScriptBlock ID: $id/) drop(); } if ($Message =~ /ClassName = 'Root\/Microsoft\/Windows/) { if ($Message =~/ScriptBlock ID: (\S+)/) { set_var('scriptblockid', $1); } drop(); } }

I ended up reworking it, which might even be more efficient:

            $id = $1;
            if (get_var('scriptblockid') == $id) drop();
            if ($Message =~ /ClassName = 'Root\/Microsoft\/Windows/) OR
               ($Message =~ /AnsibleModule/) OR
               ($Message =~ /Ansible Project/) OR
               ($Message =~ /#AnsibleRequires/) OR
               ($Message =~ /namespace Ansible/) OR
               ($Message =~ /Write-AnsibleLog/) OR
               ($Message =~ /Function ConvertFrom-AnsibleJson/) OR
               ($Message =~ /Function Get-AnsibleParam/) {
                set_var('scriptblockid', $id);
                drop();
            }
        }```

Still curious about the original question though.

Also - does drop() stop processing the Exec as well or is there another command that would do that?