MARK

Overview of the MARK Operator

The MARK operator will instruct the engine to report only the <left pattern> that matched; the <right pattern> that matched will not be reported.

The generic GLASS syntax for MARK is:

<left pattern> MARK <right pattern>

<left pattern> MARK [MINIMAL]

Understanding the MARK Operator

There are two versions or rules for the MARK operator:

  1. Primary rule (WORD, RANGE, GROUP) version
    Not providing the <right pattern> after the MARK operator is equivalent to not using the MARK operator at all.

  2. Score rule (SCORE) version The <right pattern> is not specified, as the point of the MARK operator in a scoring expression is not to limit the MARK to a certain matched pattern of the primary rule, but to extend the matched pattern of the primary rule into the score rule's matched pattern. By default, the score rule MARK operator is greedy and will "consume" as much data as possible. Specifying the MINIMAL modifier instructs the MARK operator to stop reporting as soon as the first <left pattern> match has been reported.

    See RANK and SCORE for more information.

MARK Example 1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21		 ALIAS 'ACCESS_LEVEL' RANGE DIGIT
ALIAS 'USERNAME' RANGE ALNUM TIMES 1-8
ALIAS 'UID' RANGE DIGIT TIMES 1-10
ALIAS 'GID' RANGE DIGIT TIMES 1-10
ALIAS 'PASSWORD' RANGE 'a-zA-Z0-9`~!@#$%^&*()_+=<>?' TIMES 8-32

LABEL 'L0'
REFER 'ACCESS_LEVEL' BOUND LEFT LINE THEN WORD ':' THEN \
  REFER 'USERNAME' THEN WORD ':' THEN \
  REFER 'UID' THEN WORD ':' THEN \
  REFER 'GID' THEN WORD ':' THEN \
  REFER 'PASSWORD' BOUND RIGHT LINE

LABEL 'L1'
REFER 'ACCESS_LEVEL' BOUND LEFT LINE THEN WORD ':' THEN \
  ( \
    REFER 'USERNAME' THEN WORD ':' THEN \
    REFER 'UID' THEN WORD ':' THEN \
    REFER 'GID' \
  ) MARK THEN WORD ':' THEN \
  REFER 'PASSWORD' BOUND RIGHT LINE

Based on Example 1, the following lines will be reported as matches for the labels L0 and L1 respectively.

L0

1
2
3		 0:root:1:1:password
1:yoda:2:2:PassYouKnowNot
1:vader:3:2:I_am_your_father!

L1

1
2
3		 0:root:1:1:password
1:yoda:2:2:PassYouKnowNot
1:vader:3:2:I_am_your_father!

MARK Example 2

1
2
3
4
5
6
7
8		 SCORE 'SCORE_JOHNDOE_PASSPORT' +1 BEFORE \
  RANGE PRINTABLE TIMES 1-40 THEN \
  WORD NOCASE 'passport' BOUND NONALNUM THEN \
  RANGE PRINTABLE TIMES 1-40 THEN \
  WORD NOCASE 'Doe' MARK

LABEL 'JOHNDOE_PASSPORT'
WORD '12345' BOUND NONALNUM RANK -1 'SCORE_JOHNDOE_PASSPORT'

Based on the above example, as the MARK operator is "greedy" by default, a single match across line 1 and line 2 below will be reported.

1
2		 John Doe, Driver Lic #67890
John Doe, Passport #12345

If we add the MINIMAL keyword in line 5 of the above GLASS code, the GLASS engine will stop reporting the match as soon as the first occurrence of the word Doe has been found.

SCORE 'SCORE_JOHNDOE_PASSPORT' +1 BEFORE \
  RANGE PRINTABLE TIMES 1-40 THEN \
  WORD NOCASE 'passport' BOUND NONALNUM THEN \
  RANGE PRINTABLE TIMES 1-40 THEN \
  WORD NOCASE 'Doe' MARK MINIMAL

LABEL 'JOHNDOE_PASSPORT'
WORD '12345' BOUND NONALNUM RANK -1 'SCORE_JOHNDOE_PASSPORT'
1
2		 John Doe, Driver Lic #67890
John Doe, Passport #12345