Re: easy newbie REGEX

Andy_Bach Tue, 10 Jun 2003 16:27:16 -0700

hmm, like an RE IDE - you might look at Komodo (www.activestate.com), the 
perl IDE which includes the RE editor/debugger.  I think that's what 
you're after.  There are a couple of freeware ones too.  A nice RE links 
page w/ a couple of those IDEs:
http://dmoz.org/Computers/Programming/Languages/Regular_Expressions/
perl:
http://dmoz.org/Computers/Programming/Languages/Regular_Expressions/Perl/


snortlog.pl comes w/ Snort (or it did) and show one way to go at it - use 
the REs to divide the log entries down to types and then handle each 
particular log entry format separately.  So you don't need one complex RE 
but a number of simpler ones.  This is a good way to go when you're not 
clear on what to do - break it down into much smaller problems, e.g. 
(modified from snortlog - not my code):

while (<LOG> ) {
    next        if (    ( /WARNING/ ) ||
                ( /ERROR/)    ||
                ( /SIG/)    ||
                ( /Restarting/)    ||
                ( /received signal/)    ||
                ( /Initialization/i)
         ) ;

       if (  /ICMP/ ) {
                doicmp($rest);
                next;
        }

  if ( /spp_stream/i ) {
                $text=$fields[2];
                if ( ( $text =~ /NMAP/i) ||
                        ( $text =~ /STEALTH/i) ) {
                        $text=~ s/\{.*$//; # get rid of extraneous data
                        $text=" ". $text;
                }
        }
        if ( /portscan/i ) {
....
# print result

}   #   while <LOG> 

A thing to note about this approach - put your results into an array (or 
arrays) inside the while loop and then check for those arrays afterwards. 
If there's nothing in them, you don't print anything.  If there is, then

if ( @portscans ) {
 print "Port Scans\n";
 foreach my $portscan ( @portscans ) 
   print "$portscan\n";
 }     # foreach @portscans
}      # if @portscans

if ( @ICMP ) {
...

this also lets you use command line stuff to print out only the ones you 
want:
if ( @portscans and $print_portscans ) { 
...

You do end up having to try:
   $res =~ m/:\s+([^:]*):\s(?:\{ICMP})?\s*([\d\.]+\d)\s\-\>\s([\d\.]+\d)/;

I usually put two or three lines of the log strings above the ugly RE 
part:
# ICMP Nmap2.36BETA or HPING2 Echo   : {ICMP}  10.205.1.7 -> 10.205.18.100
# pswiwd snort:  ICMP superscan echo from windows:
#      62.206.32.121 -> 10.205.18.200

to help me try and figure out why its not working.  To that end, make sure 
you print out unhandled log lines, after they've run the gamut of your 
while loop.

 

a

Andy Bach, Sys. Mangler
Internet: [EMAIL PROTECTED] 
VOICE: (608) 261-5738  FAX 264-5030

"We are either doing something, or we are not. 'Talking about' is a 
subset of 'not'."            -- Mike Sphar in alt.sysadmin.recovery
_______________________________________________
Perl-Win32-Admin mailing list
[EMAIL PROTECTED]
To unsubscribe: http://listserv.ActiveState.com/mailman/mysubs

Re: easy newbie REGEX

Reply via email to