From owner-freebsd-questions@FreeBSD.ORG Thu Jan 23 15:44:31 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 354085B1 for ; Thu, 23 Jan 2014 15:44:31 +0000 (UTC) Received: from ip-006.utdallas.edu (ip-006.utdallas.edu [129.110.182.16]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id CD1441A9B for ; Thu, 23 Jan 2014 15:44:29 +0000 (UTC) X-Group: None X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AroIAI834VKBbgogVWdsb2JhbABbjGKiHZI0AwEXBAcLBxQoglMRAjGBMg4MLIdsmk6HC6QxkiuBFASJSKQ/HQ X-IPAS-Result: AroIAI834VKBbgogVWdsb2JhbABbjGKiHZI0AwEXBAcLBxQoglMRAjGBMg4MLIdsmk6HC6QxkiuBFASJSKQ/HQ X-IronPort-AV: E=Sophos;i="4.95,706,1384322400"; d="scan'208";a="20079906" Received: from zxtm01.utdallas.edu (HELO utd71538.utdallas.edu) ([129.110.10.32]) by ip-006.utdallas.edu with ESMTP/TLS/DHE-RSA-AES256-SHA; 23 Jan 2014 09:43:20 -0600 Date: Thu, 23 Jan 2014 09:43:59 -0600 From: Paul Schmehl To: Freebsd Questions Subject: awk programming question Message-ID: X-Mailer: Mulberry/4.1.0a1 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline; size=1921 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Paul Schmehl List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2014 15:44:31 -0000 I'm kind of stubborn. There's lots of different ways to skin a cat, but I like to force myself to use the built-in utilities to do things so I can learn more about them and better understand how they work. So, I'm trying to parse a file of snort rules, extract two string values and insert a double pipe between them to create a sig-msg.map file Here's a typical rule: alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2008120; rev:1;) Here's a typical sig-msg.map file entry: 9624 || RPC UNIX authentication machinename string overflow attempt UDP So, from the above rule I would want to create a single line like this: 2008120 || E3[rb] ET POLICY Outbound TFTP Read Request There are several ways I can extract one or the other value, and I've figured out how to extract the sid and add the double pipe, but for the life of me I can't figure out how to extract and print out sid || msg. This prints out the sid and the double pipe: echo `awk 'match($0,/sid:[0-9]*;/) {print substr($0,RSTART,RLENGTH)" || "}' /tmp/mtc.rules | tr -d ";sid" It seems I could put the results into a variable rather than printing them out, and then print var1 || var2, but my google foo hasn't found a useful example. Surely there's a way to do this using awk? I can use tr for cleanup. I just need to get close to the right result. How about it awk experts? What's the cleanest way to get this done? -- Paul Schmehl, Senior Infosec Analyst As if it wasn't already obvious, my opinions are my own and not those of my employer. ******************************************* "It is as useless to argue with those who have renounced the use of reason as to administer medication to the dead." Thomas Jefferson "There are some ideas so wrong that only a very intelligent person could believe in them." George Orwell