Perl skript, regularni vyrazy a snortlog.

Středa Listopad 28 09:49:49 CET 2001

On Tue, 27 Nov 2001, Jaroslav Stefka wrote:

> Nov 18 05:23:06 linux snort[389]: SCAN Proxy attempt: 199.254.234.44:2361 -> 193.165.203.3:8080
>
> A tento radek byl zpracovan ve skriptu snort2html touto sekvenci:
>
> /(.*\s[1-9]*)(\d+\s)(..:..:..\s)(.*:\s)(.*:\s)(.*\d\s)(.*\s)(.*)/;
    ^^^^^^^^

Myslim, ze je tam neco spatne, asi opisem - takhle to do prvniho reg.
vyrazu da jedno cislo, tedy 'Nov 1'

>
> # Variables extracted from pattern matching above.
> $month=$1;
> $day=$2;
> $timeofday=$3;
> $hour=$3;
> $attack=$5;
> $sourceip=$6;
> $sourceport=$6;
> $targetip=$8;
> $targetport=$8;
>
> Novy format logu snorta je nasledujici:
>
> Nov 25 08:32:48 linux snort: [1:1256:2] WEB-IIS CodeRed v2 root.exe access [Classification: Web Application Attack] [Priority: 1]: {TCP} 193.194.90.3:4732 -> 193.165.203.100:80
>

/(.*\s)(\d+\s)(..:..:..\s)(.*:\s)(\[.*?\]\s)(.*\s)(\[.*?\]\s)(\[.*?\]:\s)(\{.*?\}\s)([\d.]+):(\d+\s)(.*\s)([\d.]+):(\d+)/

delat to cele jednim vyraz je lehce neprehledne, ale kdyz to ma byt...

$month=$1;
$day=$2;
$timeofday=$3;
$attack=$6;
$classattack=$7;
$sourceip=$10;
$sourceport=$11;
$targetip=$13;
$targetport=$14;
($hour) = ($timeofday =~ /^(\d+):/);

-- 
Ondrej Koala Vacha