Page 1 of 1
HEEElp
Posted: Tue Jul 21, 2009 3:36 am
by Mourus
Hello i would like to know if someone could help me to create a reg ex for a rule: the log look slike this :
<NFCP>FWIP,2,07/21/2009 7:56:14,SOURCEIP,SOURCEPORT,DESTINATIONIP,DESTINAT IONPORT,,,drop,udp,,,,s-UDP-389,IPADRESS,,0,,11,237,,'21Jul2009 7:56:14:drop:fw1:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={D2A7175A-72F3-11DE-A8B2-5150013FF2F2};mgmt=cma_;date=1247850240;policy_nam e=CMA__20090717-3-HMS]:h-XXX_XXX_ActiveDirectory-1.1.1.1

2.2.2.2:s-UDP-389:udp:237',eth-s3p3c0,inbound,,
and i would like to capture
FWIP, SOURCEIP, DESTINATIONPORT UDP 53 or 389, and that its drop,udp,
Andybody help?
Re: HEEElp
Posted: Tue Jul 21, 2009 5:10 am
by prometheuzz
That's a rather vague question. I presume the that the things like "SOURCEIP" are actually some other values? To be able to recommend a solution, it is necessary to see the actual input. It is also important you describe your data as precise as possible. Right now, you just dumped one line of text without any explanation. For example, a better explanation would be: "I'm looking for the value SOURCEIP which can be a IPv4 address or a hostname. This value would be placed between the 3rd and 4th comma in the text.".
Also, could you post what you yourself have already tried? Be sure to use code tags.
Thanks.
Re: HEEElp
Posted: Tue Jul 21, 2009 5:31 am
by Mourus
prometheuzz wrote:That's a rather vague question. I presume the that the things like "SOURCEIP" are actually some other values? To be able to recommend a solution, it is necessary to see the actual input. It is also important you describe your data as precise as possible. Right now, you just dumped one line of text without any explanation. For example, a better explanation would be: "I'm looking for the value SOURCEIP which can be a IPv4 address or a hostname. This value would be placed between the 3rd and 4th comma in the text.".
Also, could you post what you yourself have already tried? Be sure to use code tags.
Thanks.
Hi,
this is the output of the log file and i want to reject this one, because i dont need it: and the reject should be cased on the
"FW ip eg 8.8.0.5"
"Source ip 10.1.120.120 or 10.1.120.121"
Destination Port 53 or 389 UDP
<NFCP>8.8.0.5,2,07/16/2009 10:5:39,10.1.120.120,3968,10.14.1.71,389,,,drop,udp,,,,s-UDP-389,10.2.28.1,,0,,11,237,,'16Jul2009 10:05:39:drop:fw1-wxxt:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={4C94B01E-6803-11DE-8A16-5150013F7575};mgmt=cma_wxxt;date=1246647424;policy_name=CMA_WXXT_20090703-1-MRS]:h-EIN_RNS_ActiveDirectory-10.1.120.120

10.14.1.71:s-UDP-389:udp:237',eth-s3p3c0,inbound,,
Re: HEEElp
Posted: Tue Jul 21, 2009 5:38 am
by prometheuzz
Mourus wrote:prometheuzz wrote:That's a rather vague question. I presume the that the things like "SOURCEIP" are actually some other values? To be able to recommend a solution, it is necessary to see the actual input. It is also important you describe your data as precise as possible. Right now, you just dumped one line of text without any explanation. For example, a better explanation would be: "I'm looking for the value SOURCEIP which can be a IPv4 address or a hostname. This value would be placed between the 3rd and 4th comma in the text.".
Also, could you post what you yourself have already tried? Be sure to use code tags.
Thanks.
Hi,
this is the output of the log file and i want to reject this one, because i dont need it: and the reject should be cased on the
"FW ip eg 8.8.0.5"
"Source ip 10.1.120.120 or 10.1.120.121"
Destination Port 53 or 389 UDP
<NFCP>8.8.0.5,2,07/16/2009 10:5:39,10.1.120.120,3968,10.14.1.71,389,,,drop,udp,,,,s-UDP-389,10.2.28.1,,0,,11,237,,'16Jul2009 10:05:39:drop:fw1-wxxt:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={4C94B01E-6803-11DE-8A16-5150013F7575};mgmt=cma_wxxt;date=1246647424;policy_name=CMA_WXXT_20090703-1-MRS]:h-EIN_RNS_ActiveDirectory-10.1.120.120

10.14.1.71:s-UDP-389:udp:237',eth-s3p3c0,inbound,,
You didn't explain the format of your log file. Read my reply again and specifically look at how I described the SOURCEIP. You also did not post what you have tried yourself. If you haven't tried anything, just say so but don't ignore what I ask of you please. It now
looks like you haven't even taken the trouble to carefully read my reply!
Re: HEEElp
Posted: Tue Jul 21, 2009 6:08 am
by Mourus
Hello the log file is a normal younix log file not sure what you mean. and the reg ex i tryied is this one :
([^,]*),(\d*),([^,]*),([^,)]*),(\d*),([^,]*),(\d*),([^,]*),(\d*),drop,udp,([^,]*),(\d*),(\d*),([^,]*),([^,]*),([^,]*),(\d*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),(.*)
And sorry for that ignorant reply b4 but didnt see you want from me also what i have tryed . hope it helps a bit
i did sp,e tryings and maybe it could be something like this?
([^,]*),(\d),([^,]*),(10\.1\.120\.120|10\.1\.120\.121),(\d*),([^,]*),(389|53),,,(drop.udp),(\d*),(\d*),([^,]*),([^,]*),([^,]*),(\d*),([^,]*),([^,]*),([^,]*),([^,]*),([^,]*),'([^']*)',([^,]*),(.*)
Re: HEEElp
Posted: Tue Jul 21, 2009 6:58 am
by prometheuzz
Never mind about the format...
This regex does what you want:
Code: Select all
^[^>]*>([^,]*),(?:[^,]*,){2}([^,]*),.*?UDP-(\d+)
Demo:
Code: Select all
$text = "<NFCP>8.8.0.5,2,07/16/2009 10:5:39,10.1.120.120,3968,10.14.1.71,389,,,drop,udp,,,,s-UDP-389,10.2.28.1,,0,,11,237,,'16Jul2009 10:05:39:drop:fw1-wxxt:inbound:eth-s3p3c0:0:VPN-1 & FireWall-1:product=VPN-1 & FireWall-1[db_tag={4C94B01E-6803-11DE-8A16-5150013F7575};mgmt=cma_wxxt;date=1246647424;policy_name=CMA_WXXT_20090703-1-MRS]:h-EIN_RNS_ActiveDirectory-10.1.120.120:3968:10.14.1.71:s-UDP-389:udp:237',eth-s3p3c0,inbound,,";
preg_match('/^[^>]*>([^,]*),(?:[^,]*,){2}([^,]*),.*?UDP-(\d+)/i', $text, $match);
print_r($match);
which produces:
Code: Select all
Array
(
[0] => <NFCP>8.8.0.5,2,07/16/2009 10:5:39,10.1.120.120,3968,10.14.1.71,389,,,drop,udp,,,,s-UDP-389
[1] => 8.8.0.5
[2] => 10.1.120.120
[3] => 389
)
In other words, the first group (
$match[1]) contains "8.8.0.5",
match[2] contains "10.1.120.120" and
match[3] contains "389".
Re: HEEElp
Posted: Tue Jul 21, 2009 7:15 am
by Mourus
Yes it does the job also but i think also my does the job, if you want to take more instances(if needed in future)... not just the one you did choose
Good Job for helping me in that...
Re: HEEElp
Posted: Tue Jul 21, 2009 7:40 am
by prometheuzz
Mourus wrote:Yes it does the job also but i think also my does the job, if you want to take more instances(if needed in future)... not just the one you did choose
Then I don't see the point in your original question. Why ask if you already have a satisfactory solution yourself?
Mourus wrote:Good Job for helping me in that...
You're welcome.
Re: HEEElp
Posted: Tue Jul 21, 2009 8:10 am
by Mourus
No it didnt work when i posted my question i worked my way till the end solution because on the first tries it didnt work as im learning the regex on the fly ... and the "RegexBuddy" helped me in this a lot...
Re: HEEElp
Posted: Tue Jul 21, 2009 8:18 am
by prometheuzz
Mourus wrote:No it didnt work when i posted my question i worked my way till the end solution because on the first tries it didnt work as im learning the regex on the fly ... and the "RegexBuddy" helped me in this a lot...
Ah, I see. Anyway, glad to hear you found a solution.