Extract particular string from stream
Clash Royale CLAN TAG#URR8PPP
I have a file in which snort signatures are stored, I need to extract Bold ones "sid" and CVE number from that signature, here is a sample signature
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]classids=s*[x22x27]?sclsidsx3as*x7B?s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)
Output: 2012158 [space] CVE-2010-3973
linux awk sed grep
asked Jan 4 at 10:19
chanduchandu
1446
add a comment |
I have a file in which snort signatures are stored, I need to extract Bold ones "sid" and CVE number from that signature, here is a sample signature
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]classids=s*[x22x27]?sclsidsx3as*x7B?s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)
Output: 2012158 [space] CVE-2010-3973
linux awk sed grep
asked Jan 4 at 10:19
chanduchandu
1446
What have you done so far? Have you tried anything on your own? What is the result, if any?
– Panki
Jan 4 at 10:29
I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...
– chandu
Jan 4 at 10:35
add a comment |
I have a file in which snort signatures are stored, I need to extract Bold ones "sid" and CVE number from that signature, here is a sample signature
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]classids=s*[x22x27]?sclsidsx3as*x7B?s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)
Output: 2012158 [space] CVE-2010-3973
linux awk sed grep
asked Jan 4 at 10:19
chanduchandu
1446
I have a file in which snort signatures are stored, I need to extract Bold ones "sid" and CVE number from that signature, here is a sample signature
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]classids=s*[x22x27]?sclsidsx3as*x7B?s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)
Output: 2012158 [space] CVE-2010-3973
linux awk sed grep
linux awk sed grep
asked Jan 4 at 10:19
chanduchandu
1446
asked Jan 4 at 10:19
chanduchandu
1446
edited Jan 4 at 10:29
chandu
asked Jan 4 at 10:19
chanduchandu
1446
asked Jan 4 at 10:19
chanduchandu
1446
asked Jan 4 at 10:19
chanduchandu
1446
1446
What have you done so far? Have you tried anything on your own? What is the result, if any?
– Panki
Jan 4 at 10:29
I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...
– chandu
Jan 4 at 10:35
add a comment |
What have you done so far? Have you tried anything on your own? What is the result, if any?
– Panki
Jan 4 at 10:29
I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...
– chandu
Jan 4 at 10:35
What have you done so far? Have you tried anything on your own? What is the result, if any?
– Panki
Jan 4 at 10:29
What have you done so far? Have you tried anything on your own? What is the result, if any?
– Panki
Jan 4 at 10:29
I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...
– chandu
Jan 4 at 10:35
I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...
– chandu
Jan 4 at 10:35
add a comment |
3 Answers
3
active
oldest
votes
$ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
2012158 CVE-2010-3973
This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be
sid:2012158
reference:cve,CVE-2010-3973
The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).
answered Jan 4 at 10:35
KusalanandaKusalananda
124k16235386
add a comment |
A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.
grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2
answered Jan 4 at 11:06
LungtenLungten
111
add a comment |
j=`awk 'print NF' filename`
[root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"
output
2012158 CVE-2010-3973
answered Jan 13 at 20:28
Praveen Kumar BSPraveen Kumar BS
1,340138
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f492437%2fextract-particular-string-from-stream%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
2012158 CVE-2010-3973
This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be
sid:2012158
reference:cve,CVE-2010-3973
The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).
answered Jan 4 at 10:35
KusalanandaKusalananda
124k16235386
add a comment |
$ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
2012158 CVE-2010-3973
This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be
sid:2012158
reference:cve,CVE-2010-3973
The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).
answered Jan 4 at 10:35
KusalanandaKusalananda
124k16235386
add a comment |
$ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
2012158 CVE-2010-3973
This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be
sid:2012158
reference:cve,CVE-2010-3973
The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).
answered Jan 4 at 10:35
KusalanandaKusalananda
124k16235386
$ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
2012158 CVE-2010-3973
This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be
sid:2012158
reference:cve,CVE-2010-3973
The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).
answered Jan 4 at 10:35
KusalanandaKusalananda
124k16235386
answered Jan 4 at 10:35
KusalanandaKusalananda
124k16235386
answered Jan 4 at 10:35
KusalanandaKusalananda
124k16235386
answered Jan 4 at 10:35
KusalanandaKusalananda
124k16235386
124k16235386
add a comment |
add a comment |
A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.
grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2
answered Jan 4 at 11:06
LungtenLungten
111
add a comment |
A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.
grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2
answered Jan 4 at 11:06
LungtenLungten
111
add a comment |
A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.
grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2
answered Jan 4 at 11:06
LungtenLungten
111
A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.
grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2
answered Jan 4 at 11:06
LungtenLungten
111
answered Jan 4 at 11:06
LungtenLungten
111
answered Jan 4 at 11:06
LungtenLungten
111
answered Jan 4 at 11:06
LungtenLungten
111
111
add a comment |
add a comment |
j=`awk 'print NF' filename`
[root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"
output
2012158 CVE-2010-3973
answered Jan 13 at 20:28
Praveen Kumar BSPraveen Kumar BS
1,340138
add a comment |
j=`awk 'print NF' filename`
[root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"
output
2012158 CVE-2010-3973
answered Jan 13 at 20:28
Praveen Kumar BSPraveen Kumar BS
1,340138
add a comment |
j=`awk 'print NF' filename`
[root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"
output
2012158 CVE-2010-3973
answered Jan 13 at 20:28
Praveen Kumar BSPraveen Kumar BS
1,340138
j=`awk 'print NF' filename`
[root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"
output
2012158 CVE-2010-3973
answered Jan 13 at 20:28
Praveen Kumar BSPraveen Kumar BS
1,340138
answered Jan 13 at 20:28
Praveen Kumar BSPraveen Kumar BS
1,340138
answered Jan 13 at 20:28
Praveen Kumar BSPraveen Kumar BS
1,340138
answered Jan 13 at 20:28
Praveen Kumar BSPraveen Kumar BS
1,340138
1,340138
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f492437%2fextract-particular-string-from-stream%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
What have you done so far? Have you tried anything on your own? What is the result, if any?
– Panki
Jan 4 at 10:29
I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...
– chandu
Jan 4 at 10:35