Drill 09: Infrastructure Patterns

BOSS LEVEL. This drill combines everything: character classes, quantifiers, anchors, groups, alternation, lookahead, and lookbehind into real-world infrastructure patterns. These are the patterns you’ll use daily in network engineering and system administration.

Pattern Complexity Levels

Level Example Description

Level	Example	Description
Basic	`\d+\.\d+\.\d+\.\d+`	Simple IP match (doesn’t validate)
Intermediate	`\b(?:25[0-5]\|2[0-4]\d\|[01]?\d\d?)\.(?:…){3}\b`	Validated IPv4 octets
Advanced	Combining with context: `(?⇐ip address )\d+\.\d+\.\d+\.\d+(?= \d+\.\d+\.\d+\.\d+)`	Extract IP from config with mask lookahead

Basic

\d+\.\d+\.\d+\.\d+

Simple IP match (doesn’t validate)

Intermediate

\b(?:25[0-5]|2[0-4]\d|[01]?\d\d?)\.(?:…){3}\b

Validated IPv4 octets

Advanced

Combining with context: (?⇐ip address )\d+\.\d+\.\d+\.\d+(?= \d+\.\d+\.\d+\.\d+)

Extract IP from config with mask lookahead

Interactive CLI Drill

bash ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/examples/regex-drills/09-infrastructure.sh

Section 1: IP Address Patterns

Basic IPv4 Pattern

# Simple (matches invalid IPs like 999.999.999.999)
grep -oP '\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' file.txt

# With word boundaries
grep -oP '\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b' file.txt

Validated IPv4 Pattern

# Each octet 0-255 (complex but accurate)
grep -oP '\b(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b' file.txt

Breaking it down: - 25[0-5] = 250-255 - 2[0-4][0-9] = 200-249 - [01]?[0-9][0-9]? = 0-199

CIDR Notation

# IP/prefix (0-32)
grep -oP '\b\d{1,3}(?:\.\d{1,3}){3}/(?:3[0-2]|[12]?[0-9])\b' file.txt

# Example: 10.50.1.0/24
echo "Network: 10.50.1.0/24" | grep -oP '\d+\.\d+\.\d+\.\d+/\d+'

Private IP Ranges

# Match private IPs only
grep -oP '\b(?:10\.\d{1,3}|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.\d{1,3}\.\d{1,3}\b' file.txt

# Match:
# 10.0.0.0 - 10.255.255.255
# 172.16.0.0 - 172.31.255.255
# 192.168.0.0 - 192.168.255.255

IPv6 Patterns

# Full IPv6 (8 groups of 4 hex digits)
grep -oP '\b(?:[0-9A-Fa-f]{1,4}:){7}[0-9A-Fa-f]{1,4}\b' file.txt

# With :: compression (complex)
grep -oP '\b(?:[0-9A-Fa-f]{1,4}:){1,7}:|::(?:[0-9A-Fa-f]{1,4}:){0,6}[0-9A-Fa-f]{1,4}\b' file.txt

# Simplified practical pattern
grep -oP '\b[0-9A-Fa-f:]+:[0-9A-Fa-f:]+\b' file.txt

Exercise: IP Extraction

cat << 'EOF' > /tmp/ex-ips.txt
Server at 192.168.1.100 listening on port 8080
Gateway: 10.50.1.1
Invalid: 300.400.500.600
Network: 10.0.0.0/8
ACL: permit ip 10.50.1.0/24 any
Endpoint: 2001:db8::1
EOF

Extract valid private IPs only

grep -oP '\b(?:10|192\.168|172\.(?:1[6-9]|2\d|3[01]))\.\d{1,3}\.\d{1,3}\b' /tmp/ex-ips.txt

Output: 192.168.1.100, 10.50.1.1, 10.50.1.0

Section 2: MAC Address Patterns

Common Formats

# Colon-separated (Cisco, Linux)
grep -oiP '(?:[0-9A-F]{2}:){5}[0-9A-F]{2}' file.txt
# Example: AA:BB:CC:DD:EE:FF

# Hyphen-separated (Windows)
grep -oiP '(?:[0-9A-F]{2}-){5}[0-9A-F]{2}' file.txt
# Example: AA-BB-CC-DD-EE-FF

# Cisco 3-group format
grep -oiP '(?:[0-9A-F]{4}\.){2}[0-9A-F]{4}' file.txt
# Example: AABB.CCDD.EEFF

Universal MAC Pattern

# Match any format
grep -oiP '(?:[0-9A-F]{2}[:-]){5}[0-9A-F]{2}|(?:[0-9A-F]{4}\.){2}[0-9A-F]{4}' file.txt

OUI Extraction (First 3 Octets)

# Extract manufacturer OUI
grep -oiP '(?:[0-9A-F]{2}:){2}[0-9A-F]{2}' file.txt

# With context
grep -oP 'MAC:\s*\K(?:[0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}' file.txt

Exercise: MAC Processing

cat << 'EOF' > /tmp/ex-macs.txt
Endpoint: AA:BB:CC:DD:EE:FF
Windows: AA-BB-CC-DD-EE-FF
Switch: aabb.ccdd.eeff
Invalid: GG:HH:II:JJ:KK:LL
Partial: AA:BB:CC
EOF

Extract all valid MACs (any format)

grep -oiP '(?:[0-9A-F]{2}[:-]){5}[0-9A-F]{2}|(?:[0-9A-F]{4}\.){2}[0-9A-F]{4}' /tmp/ex-macs.txt

Output: AA:BB:CC:DD:EE:FF, AA-BB-CC-DD-EE-FF, aabb.ccdd.eeff

Section 3: Log Parsing Patterns

Syslog Format

# Standard syslog: Month Day HH:MM:SS hostname service[pid]: message
# Extract timestamp
grep -oP '^[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}' /var/log/syslog

# Extract hostname
grep -oP '^[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\K\S+' /var/log/syslog

# Extract service name
grep -oP '^[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+\S+\s+\K\w+(?=\[)' /var/log/syslog

# Extract PID
grep -oP '\[(\d+)\]' /var/log/syslog

Journald/Systemd Logs

# ISO timestamp with timezone
grep -oP '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}[+-]\d{4}' file.txt

# Extract unit name
grep -oP '(?<=: )\w+\.service' /var/log/syslog

# Extract log level
grep -oP '\b(EMERG|ALERT|CRIT|ERR|WARNING|NOTICE|INFO|DEBUG)\b' file.txt

Application Logs

# Common log format (Apache/Nginx access)
# IP - - [timestamp] "METHOD /path HTTP/x.x" status size
grep -oP '^\d+\.\d+\.\d+\.\d+' /var/log/nginx/access.log

# Extract HTTP method and path
grep -oP '"(GET|POST|PUT|DELETE|PATCH) [^"]+' /var/log/nginx/access.log

# Extract status code
grep -oP '" \K\d{3}(?= )' /var/log/nginx/access.log

# Extract response time (if logged)
grep -oP 'rt=\K\d+\.\d+' /var/log/nginx/access.log

Error Log Patterns

# Extract error codes
grep -oP 'E[0-9]{4,5}' /var/log/app.log

# Extract stack trace file:line
grep -oP '\w+\.(py|java|go|rs):\d+' /var/log/app.log

# Extract exception names
grep -oP '\b[A-Z][a-z]*(?:Exception|Error)\b' /var/log/app.log

# Find IP-related errors
grep -P '\d+\.\d+\.\d+\.\d+.*(?:failed|error|timeout)' /var/log/app.log

Exercise: Log Analysis

cat << 'EOF' > /tmp/ex-logs.txt
Mar 26 10:15:23 server-01 sshd[12345]: Failed password for invalid user admin from 192.168.1.100 port 54321 ssh2
Mar 26 10:15:24 server-01 sshd[12346]: Accepted publickey for evan from 10.50.1.50 port 22 ssh2
2026-03-26T10:15:25+0000 [ERROR] Connection refused: 10.50.1.20:443
2026-03-26T10:15:26+0000 [INFO] Request completed in 234ms
10.50.1.100 - - [26/Mar/2026:10:15:27 +0000] "GET /api/users HTTP/1.1" 200 1234
10.50.1.101 - - [26/Mar/2026:10:15:28 +0000] "POST /api/login HTTP/1.1" 401 89
EOF

Extract all unique IPs from failed/error lines

grep -iP '(fail|error|refuse|401)' /tmp/ex-logs.txt | grep -oP '\d+\.\d+\.\d+\.\d+' | sort -u

Output: 10.50.1.20, 10.50.1.101, 192.168.1.100

Section 4: Network Configuration Patterns

Cisco IOS Patterns

# Extract interface names
grep -oP '(?<=interface )\S+' config.txt

# Extract IP and mask from interface
grep -oP '(?<=ip address )\d+\.\d+\.\d+\.\d+ \d+\.\d+\.\d+\.\d+' config.txt

# Extract VLAN ID
grep -oP '(?<=switchport access vlan )\d+' config.txt

# Extract hostname
grep -oP '(?<=hostname )\S+' config.txt

# Extract ACL names
grep -oP '(?<=access-list )\w+' config.txt

# Extract NTP servers
grep -oP '(?<=ntp server )\S+' config.txt

# Extract routing protocols
grep -P '^router (ospf|eigrp|bgp|rip)' config.txt

Firewall Rules

# iptables rules
# Extract source/dest IPs
grep -oP '(?<=-s )\d+\.\d+\.\d+\.\d+(?:/\d+)?' iptables.txt
grep -oP '(?<=-d )\d+\.\d+\.\d+\.\d+(?:/\d+)?' iptables.txt

# Extract ports
grep -oP '(?<=--dport )\d+' iptables.txt

# VyOS/iptables
grep -oP '(?<=source address )\S+' vyos.txt
grep -oP '(?<=destination port )\d+' vyos.txt

ACL Extraction

# Cisco ACL entries
cat << 'EOF' > /tmp/ex-acl.txt
access-list 100 permit tcp any host 10.50.1.20 eq 443
access-list 100 permit tcp any host 10.50.1.20 eq 22
access-list 100 deny tcp any host 10.50.1.30 eq 3389
access-list 100 permit icmp any any
access-list 100 permit tcp 10.50.1.0 0.0.0.255 any eq 80
EOF

Extract all destination hosts and ports

grep -oP 'host \K\d+\.\d+\.\d+\.\d+(?= eq \d+)' /tmp/ex-acl.txt
grep -oP '(?<=eq )\d+' /tmp/ex-acl.txt

VLAN Configuration

# Extract VLAN ID and name pairs
grep -oP 'vlan \d+ name \w+' config.txt

# Extract just VLAN IDs
grep -oP '(?<=vlan )\d+' config.txt

# Extract trunked VLANs
grep -oP '(?<=allowed vlan )[\d,-]+' config.txt

Section 5: ISE-Specific Patterns

ISE Log Parsing

# Extract Calling-Station-ID (MAC)
grep -oP '(?<=Calling-Station-ID=)[0-9A-Fa-f:-]+' ise-psc.log

# Alternative format
grep -oP 'Calling-Station-ID=\K[0-9A-Fa-f:-]+' ise-psc.log

# Extract NAS-IP-Address
grep -oP '(?<=NAS-IP-Address=)\d+\.\d+\.\d+\.\d+' ise-psc.log

# Extract UserName
grep -oP '(?<=UserName=)[^,]+' ise-psc.log

# Extract NetworkDeviceName
grep -oP '(?<=NetworkDeviceName=)[^,]+' ise-psc.log

# Extract AuthenticationPolicy
grep -oP '(?<=SelectedAuthorizationPolicy=)[^,]+' ise-psc.log

ISE Session Data

# Session ID (32 hex characters)
grep -oP '\b[0-9a-fA-F]{32}\b' ise-psc.log

# Authentication result
grep -oP '(?<=AuthenticationStatus=)\w+' ise-psc.log

# Failure reason
grep -oP '(?<=FailureReason=)[^,]+' ise-psc.log

# RADIUS attributes
grep -oP '\b(?:Framed-IP-Address|Tunnel-Private-Group-ID|EAP-Type)=[^,]+' ise-psc.log

Exercise: ISE Analysis

cat << 'EOF' > /tmp/ex-ise.txt
2026-03-26T10:00:01 Passed-Authentication: UserName=evan@inside.domusdigitalis.dev, Calling-Station-ID=AA:BB:CC:DD:EE:FF, NAS-IP-Address=10.50.1.10, NetworkDeviceName=sw-access-01, SelectedAuthorizationPolicy=Wired_802.1X_Closed, AuthenticationStatus=AuthenticationPassed
2026-03-26T10:00:02 Failed-Authentication: UserName=unknown, Calling-Station-ID=11:22:33:44:55:66, NAS-IP-Address=10.50.1.10, NetworkDeviceName=sw-access-01, FailureReason=24408 User not found, AuthenticationStatus=AuthenticationFailed
2026-03-26T10:00:03 Passed-Authentication: UserName=gabriel@inside.domusdigitalis.dev, Calling-Station-ID=FF:EE:DD:CC:BB:AA, NAS-IP-Address=10.50.1.11, NetworkDeviceName=sw-access-02, SelectedAuthorizationPolicy=Wired_802.1X_Open, AuthenticationStatus=AuthenticationPassed
EOF

Extract failed MACs with failure reasons

grep 'Failed' /tmp/ex-ise.txt | grep -oP 'Calling-Station-ID=\K[^,]+'
grep 'Failed' /tmp/ex-ise.txt | grep -oP 'FailureReason=\K[^,]+'

Section 6: DNS and Certificate Patterns

Hostname/FQDN

# Simple hostname (alphanumeric + hyphen)
grep -oP '\b[a-zA-Z][a-zA-Z0-9-]*\b' file.txt

# FQDN (hostname.domain.tld)
grep -oP '\b(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}\b' file.txt

# Extract subdomain
grep -oP '^\K[^.]+(?=\.[^.]+\.[^.]+$)' <<< "server.example.com"

DNS Records

# A record format from dig
grep -oP '\S+\s+\d+\s+IN\s+A\s+\K\d+\.\d+\.\d+\.\d+' dig.txt

# MX records
grep -oP '(?<=MX\s)\d+\s+\S+' dig.txt

# TXT/SPF records
grep -oP '(?<=TXT\s)["\047].*["\047]' dig.txt

# CNAME targets
grep -oP '(?<=CNAME\s)\S+' dig.txt

SSL Certificate Data

# Extract CN (Common Name)
grep -oP '(?<=CN=)[^,/]+' cert.txt

# Extract SAN (Subject Alternative Names)
grep -oP '(?<=DNS:)[^,]+' cert.txt

# Extract validity dates
grep -oP '(?<=Not Before: ).*' cert.txt
grep -oP '(?<=Not After : ).*' cert.txt

# Extract serial number
grep -oP '(?<=Serial Number:)\s*\K[0-9a-fA-F:]+' cert.txt

# Extract issuer
grep -oP '(?<=Issuer: ).*' cert.txt

Exercise: Certificate Parsing

cat << 'EOF' > /tmp/ex-cert.txt
Certificate:
    Subject: CN=server.inside.domusdigitalis.dev, O=Domus, C=US
    Issuer: CN=Domus PKI CA, O=Domus, C=US
    Validity:
        Not Before: Mar 26 00:00:00 2026 GMT
        Not After : Mar 26 23:59:59 2027 GMT
    Subject Alternative Name:
        DNS:server.inside.domusdigitalis.dev, DNS:server, IP:10.50.1.100
EOF

Extract all DNS names and IPs from SAN

grep -oP '(?<=DNS:)[^,\s]+' /tmp/ex-cert.txt
grep -oP '(?<=IP:)[^\s,]+' /tmp/ex-cert.txt

Section 7: JSON/YAML Extraction

JSON Patterns (Without jq)

# Extract value for a key (simple JSON)
grep -oP '"key":\s*"\K[^"]+' file.json

# Extract numeric value
grep -oP '"count":\s*\K\d+' file.json

# Extract boolean
grep -oP '"enabled":\s*\K(true|false)' file.json

# Extract nested key
grep -oP '"outer":\s*\{[^}]*"inner":\s*"\K[^"]+' file.json

# Extract array items (simple)
grep -oP '"\K[^"]+(?="[,\]])' file.json

YAML Patterns

# Extract value after key (YAML)
grep -oP '^\s*key:\s*\K\S+' file.yaml

# Extract quoted values
grep -oP '^\s*\w+:\s*["\047]\K[^"\047]+' file.yaml

# Extract list items
grep -oP '^\s*-\s*\K\S+' file.yaml

# Extract indented blocks
awk '/^pattern:/,/^[^ ]/' file.yaml

Kubernetes YAML

# Extract image names
grep -oP '(?<=image: )\S+' deployment.yaml

# Extract container names
grep -oP '(?<=- name: )\S+' deployment.yaml

# Extract resource limits
grep -oP '(?<=memory: )[0-9]+[MG]i?' deployment.yaml

# Extract labels
grep -oP '(?<=app: )\S+' deployment.yaml

# Extract namespace
grep -oP '(?<=namespace: )\S+' deployment.yaml

Exercise: JSON Extraction

cat << 'EOF' > /tmp/ex-json.txt
{"name": "server-01", "ip": "10.50.1.100", "enabled": true, "ports": [22, 80, 443]}
{"name": "server-02", "ip": "10.50.1.101", "enabled": false, "ports": [22, 8080]}
{"name": "server-03", "ip": "10.50.1.102", "enabled": true, "ports": [22]}
EOF

Extract names of enabled servers only

grep '"enabled": true' /tmp/ex-json.txt | grep -oP '"name": "\K[^"]+'

Output: server-01, server-03

Section 8: Security Audit Patterns

Credential Detection

# Password patterns (common formats)
grep -iP '(password|passwd|pwd)\s*[=:]\s*\S+' file.txt

# API keys (generic)
grep -oP '(?:api[_-]?key|apikey)\s*[=:]\s*\K\S+' file.txt

# AWS Access Keys (starts with AKIA)
grep -oP 'AKIA[0-9A-Z]{16}' file.txt

# AWS Secret Keys (40 chars base64)
grep -oP '[A-Za-z0-9+/]{40}' file.txt

# Generic secrets
grep -iP '(secret|token|bearer|auth)\s*[=:]\s*["'\'']?\K[^\s"'\'']+' file.txt

SSH Key Detection

# Private key headers
grep -P '-----BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY-----' file.txt

# Public key patterns
grep -oP 'ssh-(rsa|ed25519|ecdsa)\s+[A-Za-z0-9+/]+=*' file.txt

# Key fingerprints
grep -oP 'SHA256:[A-Za-z0-9+/]{43}' file.txt
grep -oP '(?:[0-9a-f]{2}:){15}[0-9a-f]{2}' file.txt

Vulnerability Patterns

# CVE IDs
grep -oP 'CVE-\d{4}-\d{4,}' file.txt

# Common misconfigurations
grep -iP '(AllowAll|PermitRootLogin\s+yes|disable.*ssl|NOPASSWD)' file.txt

# Hardcoded IPs in code
grep -P '(?<!#.*)(\d{1,3}\.){3}\d{1,3}' *.py *.sh

# SQL injection vectors
grep -iP '(union\s+select|or\s+1\s*=\s*1|drop\s+table)' file.txt

Audit Logging

# Successful sudo commands
grep -oP '(?<=COMMAND=)\S+' /var/log/auth.log

# Failed login attempts
grep -oP '(?<=Failed password for( invalid user)? )\w+' /var/log/auth.log

# SSH connections
grep -oP 'Accepted \w+ for \K\w+(?= from)' /var/log/auth.log

# Unusual ports
grep -oP 'port (\d+)' /var/log/auth.log | sort | uniq -c | sort -rn

Section 9: Combined Patterns (Advanced)

Multi-Field Extraction

# Extract user, IP, port from SSH logs
grep 'Accepted' /var/log/auth.log | \
  grep -oP '(?:for |from |port )\K\S+' | \
  paste - - -

# Alternative with awk
awk '/Accepted/{print $9, $11, $13}' /var/log/auth.log

# ISE: MAC, IP, Policy in one line
grep 'Passed' ise.log | \
  awk -F'[=,]' '{for(i=1;i<=NF;i++) if($i~/Calling-Station-ID|NAS-IP|Policy/) print $(i+1)}'

Context-Aware Extraction

# IP only if followed by "failed"
grep -oP '\d+\.\d+\.\d+\.\d+(?=.*failed)' file.txt

# MAC only if auth passed
grep 'Passed' ise.log | grep -oP '(?<=Calling-Station-ID=)[^,]+'

# Port only from specific service
grep 'nginx' access.log | grep -oP '(?<=:)\d+(?=\s)'

Negative Patterns (Exclusion)

# IPs NOT in private range
grep -oP '\b\d+\.\d+\.\d+\.\d+\b' file.txt | \
  grep -vP '^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.)'

# Lines with IP but NOT localhost
grep -P '\d+\.\d+\.\d+\.\d+' file.txt | grep -v '127.0.0.1'

# MACs NOT starting with specific OUI
grep -oiP '(?:[0-9A-F]{2}:){5}[0-9A-F]{2}' file.txt | \
  grep -viP '^AA:BB:CC'

Section 10: Performance Patterns

Optimized Patterns

# Atomic groups (prevent backtracking)
# Use possessive quantifiers where supported
grep -oP '\d++\.\d++\.\d++\.\d++' file.txt

# Anchored patterns (faster)
grep -oP '^\d{4}-\d{2}-\d{2}' file.txt

# Specific character classes (not .)
grep -oP '[0-9]{1,3}(?:\.[0-9]{1,3}){3}' file.txt  # Better than \d

Reducing Backtracking

# BAD: Catastrophic backtracking potential
# grep -oP '.*error.*' huge.log

# GOOD: More specific
grep -oP '^[^:]*error[^$]*$' huge.log

# BAD: Greedy with backtracking
# grep -oP '<div>.*</div>' html.txt

# GOOD: Negated class
grep -oP '<div>[^<]*</div>' html.txt

Tool Comparison Matrix

Pattern Type grep -P sed awk

Pattern Type	grep -P	sed	awk
IPv4	`\d\{1,3}(\.\d\{1,3}){3}`	`[0-9]\{1,3\}\.[0-9]…`	`/\.[0-9]\.\.[0-9]/`
MAC (colon)	`([0-9A-F]{2}:){5}[0-9A-F]{2}`	`\([0-9A-F]{2}:\){5}…`	`/[0-9A-F:]+/ && length($0)==17`
Lookbehind	`(?⇐prefix)\w+`	N/A (use capture)	N/A (use split/match)
Lookahead	`\w+(?=suffix)`	N/A	N/A

IPv4

\d\{1,3}(\.\d\{1,3}){3}

[0-9]\{1,3\}\.[0-9]…

/\.[0-9]\.\.[0-9]/

MAC (colon)

([0-9A-F]{2}:){5}[0-9A-F]{2}

$[0-9A-F]{2}:${5}…

/[0-9A-F:]+/ && length($0)==17

Lookbehind

(?⇐prefix)\w+

N/A (use capture)

N/A (use split/match)

Lookahead

\w+(?=suffix)

N/A

Real-World Scripts

Daily Security Audit

#!/bin/bash
# Extract failed SSH attempts by IP

grep 'Failed password' /var/log/auth.log | \
  grep -oP 'from \K\d+\.\d+\.\d+\.\d+' | \
  sort | uniq -c | sort -rn | head -10

ISE Auth Report

#!/bin/bash
# Count auth results by policy

grep -oP '(?<=SelectedAuthorizationPolicy=)[^,]+' /var/log/ise-psc.log | \
  sort | uniq -c | sort -rn

Config Diff Validator

#!/bin/bash
# Extract all IPs from config and verify reachability

grep -oP '\b\d{1,3}(?:\.\d{1,3}){3}\b' config.txt | \
  sort -u | \
  while read ip; do
    ping -c1 -W1 "$ip" >/dev/null 2>&1 && \
      echo "OK: $ip" || echo "FAIL: $ip"
  done

Self-Test: Boss Level Challenge

Given this log snippet:

cat << 'EOF' > /tmp/boss-test.txt
2026-03-26T10:00:01Z [INFO] User evan@domain.com connected from 10.50.1.100 (MAC: AA:BB:CC:DD:EE:FF)
2026-03-26T10:00:02Z [ERROR] Auth failed for user admin@other.com from 192.168.1.200 (MAC: 11:22:33:44:55:66)
2026-03-26T10:00:03Z [INFO] User gabriel@domain.com connected from 10.50.1.101 (MAC: FF:EE:DD:CC:BB:AA)
2026-03-26T10:00:04Z [WARN] Rate limit exceeded from 203.0.113.50
2026-03-26T10:00:05Z [ERROR] Connection timeout from 198.51.100.25
EOF

Challenges:

Extract all unique IPs from ERROR lines
Extract all MACs from INFO lines only
Extract usernames (before @) from successful connections
Extract all non-private IPs
Create a report: timestamp, level, IP (one command)

Solutions

# 1. IPs from ERROR lines
grep '\[ERROR\]' /tmp/boss-test.txt | grep -oP '\d+\.\d+\.\d+\.\d+' | sort -u
# Output: 192.168.1.200, 198.51.100.25

# 2. MACs from INFO lines
grep '\[INFO\]' /tmp/boss-test.txt | grep -oiP '(?:[0-9A-F]{2}:){5}[0-9A-F]{2}'
# Output: AA:BB:CC:DD:EE:FF, FF:EE:DD:CC:BB:AA

# 3. Usernames from successful (INFO) connections
grep '\[INFO\].*connected' /tmp/boss-test.txt | grep -oP '(?<=User )[^@]+'
# Output: evan, gabriel

# 4. Non-private IPs
grep -oP '\d+\.\d+\.\d+\.\d+' /tmp/boss-test.txt | \
  grep -vP '^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.)' | sort -u
# Output: 198.51.100.25, 203.0.113.50

# 5. Report
grep -oP '(\d{4}-\d{2}-\d{2}T[\d:]+Z).*\[(\w+)\].*(\d+\.\d+\.\d+\.\d+)' /tmp/boss-test.txt | \
  awk -F'[][]' '{print $1, $2, gensub(/.*([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*/,"\\1","g",$0)}'
# Or simpler:
awk '{print $1, $2, $NF}' /tmp/boss-test.txt | sed 's/[()]//g'

Key Takeaways

Pattern Application

Pattern	Application
IPv4 with validation	`\b(?:25[0-5]\|2[0-4]\d\|[01]?\d\d?)(?:\.(?:25[0-5]\|2[0-4]\d\|[01]?\d\d?)){3}\b`
MAC universal	`(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}\|(?:[0-9A-Fa-f]{4}\.){2}[0-9A-Fa-f]{4}`
Log timestamp ISO	`\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:[+-]\d{4}\|Z)`
Config value	`(?⇐key=)\S+` or `key=\K\S+`
JSON value	`"key":\s*"\K[^"]+`
Exclude private IPs	`grep -vP '^(10\.\|172\.(?:1[6-9]\|2\d\|3[01])\.\|192\.168\.)'`

IPv4 with validation

\b(?:25[0-5]|2[0-4]\d|[01]?\d\d?)(?:\.(?:25[0-5]|2[0-4]\d|[01]?\d\d?)){3}\b

MAC universal

(?:[0-9A-Fa-f]{2}[:-]){5}[0-9A-Fa-f]{2}|(?:[0-9A-Fa-f]{4}\.){2}[0-9A-Fa-f]{4}

Log timestamp ISO

\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}(?:[+-]\d{4}|Z)

Config value

(?⇐key=)\S+ or key=\K\S+

JSON value

"key":\s*"\K[^"]+

Exclude private IPs

grep -vP '^(10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.)'

Congratulations!

You’ve completed the BOSS LEVEL infrastructure patterns drill. You now have the regex skills to:

Parse any log format
Extract configuration data
Audit security issues
Process network data at scale

Next Steps

Practice daily with real logs
Build a personal pattern library
Contribute patterns to team documentation

Drill 10: Advanced Techniques - Atomic groups, conditionals, and recursive patterns.