Python RegEx Look AheadLook Behind 当后视模式不同时

首先，我为张贴这个丑陋、冗长的样本而道歉，但这是我能收集到的全部.我正在try 获取恶意软件来源和主机的IP地址.我的模式在主机上工作得很好，但是当我try 返回源IP时，它就中断了，因为在日志(log)的Look Back部分中捕获的模式发生了变化.所以我被困住了.

logs = [
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12446 devicePayloadId=8F003A0D28D9 rt=2023-05-03 00:09:25 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=MIM0002012 TMCMLogDetectedHost=MIM0002012 src=172.16.4.90 TMCMLogDetectedIP=172.16.4.90 cs3Label=SLF_DomainName cs3=Acme act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=173.233.137.60 deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12447 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:58 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=192.243.61.227 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12448 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:58 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=173.233.137.36 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12449 devicePayloadId=8F003A0D28D9 rt=2023-05-03 08:02:59 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=LENOVOM910Q TMCMLogDetectedHost=LENOVOM910Q src=10.10.110.69 TMCMLogDetectedIP=10.10.110.69 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=1 dst=192.243.59.13 deviceProcessName=C:\\\\Program Files (x86)\\\\Microsoft\\\\Edge\\\\Application\\\\msedge.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12450 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:15 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12451 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:16 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Program Files (x86)\\\\Google\\\\Chrome\\\\Application\\\\chrome.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12452 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:19 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01 src=10.10.220.172 TMCMLogDetectedIP=10.10.220.172 cs3Label=SLF_DomainName cs3=Acme_Headquarter act=Block cn1Label=SLF_CCCA_RiskLevel cn1=3 cn2Label=SLF_CCCA_DetectionSource cn2=2 cn3Label=SLF_CCCA_DestinationFormat cn3=4 cs5Label=CnCDestinationURL cs5=somewebsite.com deviceProcessName=C:\\\\Windows\\\\System32\\\\svchost.exe dvchost=somedomain.manage.trendmicro.com ",
    "May 03 2023 19:30:30 abcde.manage.trendmicro.com CEF:0|Trend Micro|Apex Central|2019|CnC:Block|CnC Callback|3|deviceExternalId=12453 devicePayloadId=8F003A0D28D9 rt=2023-05-03 09:42:19 cat=1756 deviceFacility=Apex One cs2Label=EI_ProductVersion cs2=14.0 shost=DELLTELEC01 TMCMLogDetectedHost=DELLTELEC01"
]

在本部分中可以找到主机IP:

密码是:

endpoint_ip_list = [re.sub('dst=','',re.search('(?<=src=).*?(?=\s+TMCMLogDetectedIP=)',log).group()) for log in logs]

输出:

['172.16.4.90', '10.10.110.69', '10.10.110.69', '10.10.110.69', '10.10.220.172', '10.10.220.172', '10.10.220.172', '10.10.220.172']

第二部分是源IP(可能的攻击源)，在本节中可以找到:

有时，根据策略，日志(log)显示的是域，而不是IP地址.因此，当我为绿色突出显示的部分运行正则表达式时，它显然会中断.

callback_ip_list = [re.sub('dst=','',re.search('(?<=dst=).*?(?=\s+deviceProcessName=)',log).group()) for log in logs]

输出:

callback_ip_list = [re.sub('dst=','',re.search('(?<=dst=).*?(?=\s+deviceProcessName=)',log).group()) for log in logs]

AttributeError: 'NoneType' object has no attribute 'group'

如果您知道有一种方法可以同时捕获同一表达式中的IP和域，那将是完美的，但我对此tbh的任何修复都很满意.谢谢你的帮忙!