HEEElp

Any questions involving matching text strings to patterns - the pattern is called a "regular expression."

Moderator: General Moderators

Post Reply
Mourus
Forum Newbie
Posts: 5
Joined: Tue Jul 21, 2009 3:35 am

HEEElp

Post by Mourus »

Hello i would like to know if someone could help me to create a reg ex for a rule: the log look slike this :
<NFCP>FWIP,2,07/21/2009 7:56:14,SOURCEIP,SOURCEPORT,DESTINATIONIP,DESTINAT IONPORT,,,drop,udp,,,,s-UDP-389,IPADRESS,,0,,11,237,,'21Jul2009 7:56:14:drop:fw1:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={D2A7175A-72F3-11DE-A8B2-5150013FF2F2};mgmt=cma_;date=1247850240;policy_nam e=CMA__20090717-3-HMS]:h-XXX_XXX_ActiveDirectory-1.1.1.1:1234:2.2.2.2:s-UDP-389:udp:237',eth-s3p3c0,inbound,,

and i would like to capture
FWIP, SOURCEIP, DESTINATIONPORT UDP 53 or 389, and that its drop,udp,

Andybody help?
User avatar
prometheuzz
Forum Regular
Posts: 779
Joined: Fri Apr 04, 2008 5:51 am

Re: HEEElp

Post by prometheuzz »

That's a rather vague question. I presume the that the things like "SOURCEIP" are actually some other values? To be able to recommend a solution, it is necessary to see the actual input. It is also important you describe your data as precise as possible. Right now, you just dumped one line of text without any explanation. For example, a better explanation would be: "I'm looking for the value SOURCEIP which can be a IPv4 address or a hostname. This value would be placed between the 3rd and 4th comma in the text.".

Also, could you post what you yourself have already tried? Be sure to use code tags.

Thanks.
Mourus
Forum Newbie
Posts: 5
Joined: Tue Jul 21, 2009 3:35 am

Re: HEEElp

Post by Mourus »

prometheuzz wrote:That's a rather vague question. I presume the that the things like "SOURCEIP" are actually some other values? To be able to recommend a solution, it is necessary to see the actual input. It is also important you describe your data as precise as possible. Right now, you just dumped one line of text without any explanation. For example, a better explanation would be: "I'm looking for the value SOURCEIP which can be a IPv4 address or a hostname. This value would be placed between the 3rd and 4th comma in the text.".

Also, could you post what you yourself have already tried? Be sure to use code tags.

Thanks.

Hi,
this is the output of the log file and i want to reject this one, because i dont need it: and the reject should be cased on the
"FW ip eg 8.8.0.5"
"Source ip 10.1.120.120 or 10.1.120.121"
Destination Port 53 or 389 UDP

<NFCP>8.8.0.5,2,07/16/2009 10:5:39,10.1.120.120,3968,10.14.1.71,389,,,drop,udp,,,,s-UDP-389,10.2.28.1,,0,,11,237,,'16Jul2009 10:05:39:drop:fw1-wxxt:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={4C94B01E-6803-11DE-8A16-5150013F7575};mgmt=cma_wxxt;date=1246647424;policy_name=CMA_WXXT_20090703-1-MRS]:h-EIN_RNS_ActiveDirectory-10.1.120.120:3968:10.14.1.71:s-UDP-389:udp:237',eth-s3p3c0,inbound,,
User avatar
prometheuzz
Forum Regular
Posts: 779
Joined: Fri Apr 04, 2008 5:51 am

Re: HEEElp

Post by prometheuzz »

Mourus wrote:
prometheuzz wrote:That's a rather vague question. I presume the that the things like "SOURCEIP" are actually some other values? To be able to recommend a solution, it is necessary to see the actual input. It is also important you describe your data as precise as possible. Right now, you just dumped one line of text without any explanation. For example, a better explanation would be: "I'm looking for the value SOURCEIP which can be a IPv4 address or a hostname. This value would be placed between the 3rd and 4th comma in the text.".

Also, could you post what you yourself have already tried? Be sure to use code tags.

Thanks.

Hi,
this is the output of the log file and i want to reject this one, because i dont need it: and the reject should be cased on the
"FW ip eg 8.8.0.5"
"Source ip 10.1.120.120 or 10.1.120.121"
Destination Port 53 or 389 UDP

<NFCP>8.8.0.5,2,07/16/2009 10:5:39,10.1.120.120,3968,10.14.1.71,389,,,drop,udp,,,,s-UDP-389,10.2.28.1,,0,,11,237,,'16Jul2009 10:05:39:drop:fw1-wxxt:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={4C94B01E-6803-11DE-8A16-5150013F7575};mgmt=cma_wxxt;date=1246647424;policy_name=CMA_WXXT_20090703-1-MRS]:h-EIN_RNS_ActiveDirectory-10.1.120.120:3968:10.14.1.71:s-UDP-389:udp:237',eth-s3p3c0,inbound,,
You didn't explain the format of your log file. Read my reply again and specifically look at how I described the SOURCEIP. You also did not post what you have tried yourself. If you haven't tried anything, just say so but don't ignore what I ask of you please. It now looks like you haven't even taken the trouble to carefully read my reply!
Mourus
Forum Newbie
Posts: 5
Joined: Tue Jul 21, 2009 3:35 am

Re: HEEElp

Post by Mourus »

Hello the log file is a normal younix log file not sure what you mean. and the reg ex i tryied is this one :

([^,]*),(\d*),([^,]*),([^,)]*),(\d*),([^,]*),(\d*),([^,]*),(\d*),drop,udp,([^,]*),(\d*),(\d*),([^,]*),([^,]*),([^,]*),(\d*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(.*)


And sorry for that ignorant reply b4 but didnt see you want from me also what i have tryed . hope it helps a bit

i did sp,e tryings and maybe it could be something like this?

([^,]*),(\d),([^,]*),(10\.1\.120\.120|10\.1\.120\.121),(\d*),([^,]*),(389|53),,,(drop.udp),(\d*),(\d*),([^,]*),([^,]*),([^,]*),(\d*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),'([^']*)',([^,]*),(.*)
User avatar
prometheuzz
Forum Regular
Posts: 779
Joined: Fri Apr 04, 2008 5:51 am

Re: HEEElp

Post by prometheuzz »

Never mind about the format...

This regex does what you want:

Code: Select all

^[^>]*>([^,]*),(?:[^,]*,){2}([^,]*),.*?UDP-(\d+)
Demo:

Code: Select all

$text = "<NFCP>8.8.0.5,2,07/16/2009 10:5:39,10.1.120.120,3968,10.14.1.71,389,,,drop,udp,,,,s-UDP-389,10.2.28.1,,0,,11,237,,'16Jul2009 10:05:39:drop:fw1-wxxt:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={4C94B01E-6803-11DE-8A16-5150013F7575};mgmt=cma_wxxt;date=1246647424;policy_name=CMA_WXXT_20090703-1-MRS]:h-EIN_RNS_ActiveDirectory-10.1.120.120:3968:10.14.1.71:s-UDP-389:udp:237',eth-s3p3c0,inbound,,";
preg_match('/^[^>]*>([^,]*),(?:[^,]*,){2}([^,]*),.*?UDP-(\d+)/i', $text, $match);
print_r($match);
which produces:

Code: Select all

Array
(
    [0] => <NFCP>8.8.0.5,2,07/16/2009 10:5:39,10.1.120.120,3968,10.14.1.71,389,,,drop,udp,,,,s-UDP-389
    [1] => 8.8.0.5
    [2] => 10.1.120.120
    [3] => 389
)
In other words, the first group ($match[1]) contains "8.8.0.5", match[2] contains "10.1.120.120" and match[3] contains "389".
Mourus
Forum Newbie
Posts: 5
Joined: Tue Jul 21, 2009 3:35 am

Re: HEEElp

Post by Mourus »

Yes it does the job also but i think also my does the job, if you want to take more instances(if needed in future)... not just the one you did choose
Good Job for helping me in that...
User avatar
prometheuzz
Forum Regular
Posts: 779
Joined: Fri Apr 04, 2008 5:51 am

Re: HEEElp

Post by prometheuzz »

Mourus wrote:Yes it does the job also but i think also my does the job, if you want to take more instances(if needed in future)... not just the one you did choose
Then I don't see the point in your original question. Why ask if you already have a satisfactory solution yourself?
Mourus wrote:Good Job for helping me in that...
You're welcome.
Mourus
Forum Newbie
Posts: 5
Joined: Tue Jul 21, 2009 3:35 am

Re: HEEElp

Post by Mourus »

No it didnt work when i posted my question i worked my way till the end solution because on the first tries it didnt work as im learning the regex on the fly ... and the "RegexBuddy" helped me in this a lot...
User avatar
prometheuzz
Forum Regular
Posts: 779
Joined: Fri Apr 04, 2008 5:51 am

Re: HEEElp

Post by prometheuzz »

Mourus wrote:No it didnt work when i posted my question i worked my way till the end solution because on the first tries it didnt work as im learning the regex on the fly ... and the "RegexBuddy" helped me in this a lot...
Ah, I see. Anyway, glad to hear you found a solution.
Post Reply