Data extraction manipulation using awk [duplicate]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
This question already has an answer here:
Log file extract data and append back same line
1 answer
I have a snort.rule file, I need to extract cve numbers followed by reference key from the line and append them back in msg field of the same line inside flower brackets, below is the old log.
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Serverx3a[^rn]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference:arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;)
Required output is below, bold ones are the new changes,
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2 cve,2012-5958 cve,2012-5959"; content:"Intel SDK for UPnP devices"; pcre:"/^Serverx3a[^rn]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference: arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;)
I do have issue with the awk code below, it is removing semicolon between all keys while displaying back the results, last sub function is culprit, I need to correct the below code:
awk -F; '
for ( i = 1 ; i <= NF ; i++ )
if ( $i ~ "msg" )
a = i
if ( $i ~ "reference:cve," )
b = $i
sub ( ".*:" , "" , b )
c = c " " b
sub ( "$" , "" c """ , $a )
1' snort.rule
shell-script awk sed
marked as duplicate by Rui F Ribeiro, Haxiel, Michael Homer, elbarna, roaima Mar 7 at 21:56
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
add a comment |
This question already has an answer here:
Log file extract data and append back same line
1 answer
I have a snort.rule file, I need to extract cve numbers followed by reference key from the line and append them back in msg field of the same line inside flower brackets, below is the old log.
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Serverx3a[^rn]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference:arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;)
Required output is below, bold ones are the new changes,
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2 cve,2012-5958 cve,2012-5959"; content:"Intel SDK for UPnP devices"; pcre:"/^Serverx3a[^rn]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference: arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;)
I do have issue with the awk code below, it is removing semicolon between all keys while displaying back the results, last sub function is culprit, I need to correct the below code:
awk -F; '
for ( i = 1 ; i <= NF ; i++ )
if ( $i ~ "msg" )
a = i
if ( $i ~ "reference:cve," )
b = $i
sub ( ".*:" , "" , b )
c = c " " b
sub ( "$" , "" c """ , $a )
1' snort.rule
shell-script awk sed
marked as duplicate by Rui F Ribeiro, Haxiel, Michael Homer, elbarna, roaima Mar 7 at 21:56
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
@Thor the old brother.
– chandu
Mar 7 at 14:02
add a comment |
This question already has an answer here:
Log file extract data and append back same line
1 answer
I have a snort.rule file, I need to extract cve numbers followed by reference key from the line and append them back in msg field of the same line inside flower brackets, below is the old log.
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Serverx3a[^rn]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference:arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;)
Required output is below, bold ones are the new changes,
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2 cve,2012-5958 cve,2012-5959"; content:"Intel SDK for UPnP devices"; pcre:"/^Serverx3a[^rn]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference: arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;)
I do have issue with the awk code below, it is removing semicolon between all keys while displaying back the results, last sub function is culprit, I need to correct the below code:
awk -F; '
for ( i = 1 ; i <= NF ; i++ )
if ( $i ~ "msg" )
a = i
if ( $i ~ "reference:cve," )
b = $i
sub ( ".*:" , "" , b )
c = c " " b
sub ( "$" , "" c """ , $a )
1' snort.rule
shell-script awk sed
This question already has an answer here:
Log file extract data and append back same line
1 answer
I have a snort.rule file, I need to extract cve numbers followed by reference key from the line and append them back in msg field of the same line inside flower brackets, below is the old log.
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2"; content:"Intel SDK for UPnP devices"; pcre:"/^Serverx3a[^rn]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference:arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;)
Required output is below, bold ones are the new changes,
alert udp $HOME_NET 1900 -> any any (msg:"ET INFO UPnP Discovery Search Response vulnerable UPnP device 2 cve,2012-5958 cve,2012-5959"; content:"Intel SDK for UPnP devices"; pcre:"/^Serverx3a[^rn]*Intel SDK for UPnP devices/mi"; reference: /infosec/blog/2013/01/29; reference: arch/UPnP-arch-DeviceArchitecture-v1.1.pdf; reference:cve,2012-5958; reference:cve,2012-5959;sid:2016303; rev:4;)
I do have issue with the awk code below, it is removing semicolon between all keys while displaying back the results, last sub function is culprit, I need to correct the below code:
awk -F; '
for ( i = 1 ; i <= NF ; i++ )
if ( $i ~ "msg" )
a = i
if ( $i ~ "reference:cve," )
b = $i
sub ( ".*:" , "" , b )
c = c " " b
sub ( "$" , "" c """ , $a )
1' snort.rule
This question already has an answer here:
Log file extract data and append back same line
1 answer
shell-script awk sed
shell-script awk sed
edited Mar 7 at 14:07
Rui F Ribeiro
41.9k1483142
41.9k1483142
asked Mar 7 at 13:54
chanduchandu
15618
15618
marked as duplicate by Rui F Ribeiro, Haxiel, Michael Homer, elbarna, roaima Mar 7 at 21:56
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
marked as duplicate by Rui F Ribeiro, Haxiel, Michael Homer, elbarna, roaima Mar 7 at 21:56
This question has been asked before and already has an answer. If those answers do not fully address your question, please ask a new question.
@Thor the old brother.
– chandu
Mar 7 at 14:02
add a comment |
@Thor the old brother.
– chandu
Mar 7 at 14:02
@Thor the old brother.
– chandu
Mar 7 at 14:02
@Thor the old brother.
– chandu
Mar 7 at 14:02
add a comment |
1 Answer
1
active
oldest
votes
I would use perl
here
perl -pe '$" = " "; @cves = /reference:s*(cve,d+-d+)/g;
s/msg:s*"(?:\.|[^\"])*K/ @cves/ if (@cves)'
Also handling msg
s with embedded "
.
your solution worked Thankyou. Any idea on above awk code can you help to resolve the second sub() call why it omitting semicolon between keys while displaying back results.
– chandu
Mar 7 at 14:26
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I would use perl
here
perl -pe '$" = " "; @cves = /reference:s*(cve,d+-d+)/g;
s/msg:s*"(?:\.|[^\"])*K/ @cves/ if (@cves)'
Also handling msg
s with embedded "
.
your solution worked Thankyou. Any idea on above awk code can you help to resolve the second sub() call why it omitting semicolon between keys while displaying back results.
– chandu
Mar 7 at 14:26
add a comment |
I would use perl
here
perl -pe '$" = " "; @cves = /reference:s*(cve,d+-d+)/g;
s/msg:s*"(?:\.|[^\"])*K/ @cves/ if (@cves)'
Also handling msg
s with embedded "
.
your solution worked Thankyou. Any idea on above awk code can you help to resolve the second sub() call why it omitting semicolon between keys while displaying back results.
– chandu
Mar 7 at 14:26
add a comment |
I would use perl
here
perl -pe '$" = " "; @cves = /reference:s*(cve,d+-d+)/g;
s/msg:s*"(?:\.|[^\"])*K/ @cves/ if (@cves)'
Also handling msg
s with embedded "
.
I would use perl
here
perl -pe '$" = " "; @cves = /reference:s*(cve,d+-d+)/g;
s/msg:s*"(?:\.|[^\"])*K/ @cves/ if (@cves)'
Also handling msg
s with embedded "
.
answered Mar 7 at 14:04
Stéphane ChazelasStéphane Chazelas
313k57592948
313k57592948
your solution worked Thankyou. Any idea on above awk code can you help to resolve the second sub() call why it omitting semicolon between keys while displaying back results.
– chandu
Mar 7 at 14:26
add a comment |
your solution worked Thankyou. Any idea on above awk code can you help to resolve the second sub() call why it omitting semicolon between keys while displaying back results.
– chandu
Mar 7 at 14:26
your solution worked Thankyou. Any idea on above awk code can you help to resolve the second sub() call why it omitting semicolon between keys while displaying back results.
– chandu
Mar 7 at 14:26
your solution worked Thankyou. Any idea on above awk code can you help to resolve the second sub() call why it omitting semicolon between keys while displaying back results.
– chandu
Mar 7 at 14:26
add a comment |
@Thor the old brother.
– chandu
Mar 7 at 14:02