RegEx in DNS.qname DNS.Request Trigger

I’m trying to query for dns requests that meet a specific Regex.

let’s assume the regex is:

(.+(zd|hy))+([a-z0-9]{1,20})\.(?:com|net|org|us)

My Trigger:

if (event == "DNS_REQUEST") {

    if (DNS.qname.search(.+(zd|hy))+([a-z0-9]{1,20})\.(?:com|net|org|us)); {
        commitRecord("myRecord", DNS.record);
    }
}

Any idea how to get this to work?

I would suggest three adjustments

  1. you have a parenthesis mismatch in the if statement

  2. I would specify the regular expression with ‘/’ at the beginning and end

  3. I would make the if statement test for “> -1” since the search might find the result at index0

    if (event == “DNS_REQUEST”) {

    if (DNS.qname.search(/(.+(zd|hy))+([a-z0-9]{1,20}).(?:com|net|org|us)/i) > -1) {
    commitRecord(“myRecord”, DNS.record);
    }
    }

Alternatively you could try using the test method of a regular expression

if (event == "DNS_REQUEST") {
  var regex = /(.+(zd|hy))+([a-z0-9]{1,20}).(?:com|net|org|us)/i
  
  if (regex.test(DNS.qname)){
    commitRecord("myRecord", DNS.record);
  }
}

The regular expression does seem a bit off to me as a test because it includes a non capturing group, but maybe there is something I’m missing there.

I hope that is helpful.

Couple of things.

Thing 1: a wee bit of defensive programming:

if ( DNS.qname && DNS.qname.search ... ) {

The idea is to handle the condition when DNS.qname is null. It shouldn’t happen, but I’ve seen it plenty of times in the wild.

Thing 2: it would be helpful if you could use some pseudo code to describe what you’re trying to find.

Looks like:

  • one or more instances of stuff followed by literal zd or hy
  • followed by 1 to 20 alpha or numeric characters
  • followed by any character
  • followed by com or net or org or us

Thing 3: Did you intend the “.” in the middle of your regex to be a literal period? If so, you need to escape it with a negative sloping slash like this:

\.

Thing 4: I tend to use the .match operator whether testing for existence or trying to capture text via regex. So DNS.qname.match(

Again, some examples of what you’re looking for would help.

1 Like

This works.

Thanks.

if (event == “DNS_REQUEST”) {

if (DNS.qname.search(/(.+(zd|hy))+([a-z0-9]{1,20}).(?:com|net|org|us)/i) > -1) {
commitRecord(“myRecord”, DNS.record);
}
}

@gumby makes a good suggestion. Here’s a version which integrates that:

if (event === "DNS_REQUEST") {

    if (DNS.qname && DNS.qname.test(/(.+(zd|hy))+([a-z0-9]{1,20}).(?:com|net|org|us)/i)) {
        commitRecord("myRecord", DNS.record);
    }
}