Extract particular string from stream

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP












0















I have a file in which snort signatures are stored, I need to extract Bold ones "sid" and CVE number from that signature, here is a sample signature



alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]classids=s*[x22x27]?sclsidsx3as*x7B?s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)




Output: 2012158 [space] CVE-2010-3973











share|improve this question
























  • What have you done so far? Have you tried anything on your own? What is the result, if any?

    – Panki
    Jan 4 at 10:29











  • I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...

    – chandu
    Jan 4 at 10:35















0















I have a file in which snort signatures are stored, I need to extract Bold ones "sid" and CVE number from that signature, here is a sample signature



alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]classids=s*[x22x27]?sclsidsx3as*x7B?s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)




Output: 2012158 [space] CVE-2010-3973











share|improve this question
























  • What have you done so far? Have you tried anything on your own? What is the result, if any?

    – Panki
    Jan 4 at 10:29











  • I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...

    – chandu
    Jan 4 at 10:35













0












0








0


1






I have a file in which snort signatures are stored, I need to extract Bold ones "sid" and CVE number from that signature, here is a sample signature



alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]classids=s*[x22x27]?sclsidsx3as*x7B?s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)




Output: 2012158 [space] CVE-2010-3973











share|improve this question
















I have a file in which snort signatures are stored, I need to extract Bold ones "sid" and CVE number from that signature, here is a sample signature



alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Microsoft WMI Administration Tools WEBSingleView.ocx ActiveX Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"2745E5F5-D234-11D0-847A-00C04FD7BB08"; nocase; distance:0; pcre:"/]classids=s*[x22x27]?sclsidsx3as*x7B?s*2745E5F5-D234-11D0-847A-00C04FD7BB08.+(AddContextRef|ReleaseContext)/smi"; reference:url,xcon.xfocus.net/XCon2010_ChenXie_EN.pdf; reference:url,wooyun.org/bug.php?action=view&id=1006; reference:bid,45546; reference:cve,CVE-2010-3973; classtype:attempted-user; sid:2012158; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag ActiveX, signature_severity Major, created_at 2011_01_06, updated_at 2016_07_01;)




Output: 2012158 [space] CVE-2010-3973








linux awk sed grep






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Jan 4 at 10:29







chandu

















asked Jan 4 at 10:19









chanduchandu

1446




1446












  • What have you done so far? Have you tried anything on your own? What is the result, if any?

    – Panki
    Jan 4 at 10:29











  • I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...

    – chandu
    Jan 4 at 10:35

















  • What have you done so far? Have you tried anything on your own? What is the result, if any?

    – Panki
    Jan 4 at 10:29











  • I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...

    – chandu
    Jan 4 at 10:35
















What have you done so far? Have you tried anything on your own? What is the result, if any?

– Panki
Jan 4 at 10:29





What have you done so far? Have you tried anything on your own? What is the result, if any?

– Panki
Jan 4 at 10:29













I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...

– chandu
Jan 4 at 10:35





I have started building the awk: awk 'for (I=1;I<=NF;I++) if ($I == "refernce") print $(I+1);' snort.rules , still I am working on this...

– chandu
Jan 4 at 10:35










3 Answers
3






active

oldest

votes


















1














$ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
2012158 CVE-2010-3973


This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be



sid:2012158
reference:cve,CVE-2010-3973


The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).






share|improve this answer






























    0














    A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.



    grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2





    share|improve this answer






























      0














      j=`awk 'print NF' filename`
      [root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"


      output



      2012158 CVE-2010-3973





      share|improve this answer






















        Your Answer








        StackExchange.ready(function()
        var channelOptions =
        tags: "".split(" "),
        id: "106"
        ;
        initTagRenderer("".split(" "), "".split(" "), channelOptions);

        StackExchange.using("externalEditor", function()
        // Have to fire editor after snippets, if snippets enabled
        if (StackExchange.settings.snippets.snippetsEnabled)
        StackExchange.using("snippets", function()
        createEditor();
        );

        else
        createEditor();

        );

        function createEditor()
        StackExchange.prepareEditor(
        heartbeatType: 'answer',
        autoActivateHeartbeat: false,
        convertImagesToLinks: false,
        noModals: true,
        showLowRepImageUploadWarning: true,
        reputationToPostImages: null,
        bindNavPrevention: true,
        postfix: "",
        imageUploader:
        brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
        contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
        allowUrls: true
        ,
        onDemand: true,
        discardSelector: ".discard-answer"
        ,immediatelyShowMarkdownHelp:true
        );



        );













        draft saved

        draft discarded


















        StackExchange.ready(
        function ()
        StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f492437%2fextract-particular-string-from-stream%23new-answer', 'question_page');

        );

        Post as a guest















        Required, but never shown

























        3 Answers
        3






        active

        oldest

        votes








        3 Answers
        3






        active

        oldest

        votes









        active

        oldest

        votes






        active

        oldest

        votes









        1














        $ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
        2012158 CVE-2010-3973


        This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be



        sid:2012158
        reference:cve,CVE-2010-3973


        The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).






        share|improve this answer



























          1














          $ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
          2012158 CVE-2010-3973


          This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be



          sid:2012158
          reference:cve,CVE-2010-3973


          The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).






          share|improve this answer

























            1












            1








            1







            $ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
            2012158 CVE-2010-3973


            This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be



            sid:2012158
            reference:cve,CVE-2010-3973


            The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).






            share|improve this answer













            $ grep -E -o -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | awk -F '[:,]' ' sid=$2; getline; print sid, $3 '
            2012158 CVE-2010-3973


            This uses grep to extract the two bits of info from the data that we are interested in. It does this by using -o (to return only the bit of the line that matches the given expressions) and matching the sid field and the correct reference field. The output of the grep command will be



            sid:2012158
            reference:cve,CVE-2010-3973


            The awk program will then read the first line from grep, extract the number into the variable sid, read the next line and print the stored sid and the third field (a field here is anything delimited by either a comma or a colon).







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Jan 4 at 10:35









            KusalanandaKusalananda

            124k16235386




            124k16235386























                0














                A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.



                grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2





                share|improve this answer



























                  0














                  A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.



                  grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2





                  share|improve this answer

























                    0












                    0








                    0







                    A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.



                    grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2





                    share|improve this answer













                    A small modification to @Kusalananda's answer, piping the output of grep expression to cut seems to work perfectly on my zsh shell.



                    grep -o -E -e 'sid:[^;]+' -e 'reference:cve,[^;]+' file | cut -d':' -f2 | cut -d',' -f2






                    share|improve this answer












                    share|improve this answer



                    share|improve this answer










                    answered Jan 4 at 11:06









                    LungtenLungten

                    111




                    111





















                        0














                        j=`awk 'print NF' filename`
                        [root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"


                        output



                        2012158 CVE-2010-3973





                        share|improve this answer



























                          0














                          j=`awk 'print NF' filename`
                          [root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"


                          output



                          2012158 CVE-2010-3973





                          share|improve this answer

























                            0












                            0








                            0







                            j=`awk 'print NF' filename`
                            [root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"


                            output



                            2012158 CVE-2010-3973





                            share|improve this answer













                            j=`awk 'print NF' filename`
                            [root@praveen_linux_example ~]# for ((i=1;i<=$j;i++)); do awk -v i="$i" '$i ~ /CVE-2010-3973/||$i ~ /^sid/print $i' filename;done| awk -F [,:] 'print $NF'| sed "s/;//g"| sed -n -e '1h' -e '2p;g;p'| sed "N;s/n/ /g"


                            output



                            2012158 CVE-2010-3973






                            share|improve this answer












                            share|improve this answer



                            share|improve this answer










                            answered Jan 13 at 20:28









                            Praveen Kumar BSPraveen Kumar BS

                            1,340138




                            1,340138



























                                draft saved

                                draft discarded
















































                                Thanks for contributing an answer to Unix & Linux Stack Exchange!


                                • Please be sure to answer the question. Provide details and share your research!

                                But avoid


                                • Asking for help, clarification, or responding to other answers.

                                • Making statements based on opinion; back them up with references or personal experience.

                                To learn more, see our tips on writing great answers.




                                draft saved


                                draft discarded














                                StackExchange.ready(
                                function ()
                                StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f492437%2fextract-particular-string-from-stream%23new-answer', 'question_page');

                                );

                                Post as a guest















                                Required, but never shown





















































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown

































                                Required, but never shown














                                Required, but never shown












                                Required, but never shown







                                Required, but never shown






                                Popular posts from this blog

                                How to check contact read email or not when send email to Individual?

                                Displaying single band from multi-band raster using QGIS

                                How many registers does an x86_64 CPU actually have?