Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 23 Jan 2014 21:33:52 +0000
From:      RW <rwmaillists@googlemail.com>
To:        freebsd-questions@freebsd.org
Subject:   Re: awk programming question
Message-ID:  <20140123213352.5f289890@gumby.homeunix.com>
In-Reply-To: <alpine.BSF.2.00.1401231346520.80613@wonkity.com>
References:  <F01EB9CE742DEB17DB6B51C7@localhost> <alpine.BSF.2.00.1401230900270.76961@wonkity.com> <20140123185604.4cbd7611@gumby.homeunix.com> <04a201cf1878$8ebce540$ac36afc0$@FreeBSD.org> <alpine.BSF.2.00.1401231346520.80613@wonkity.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Thu, 23 Jan 2014 13:57:03 -0700 (MST)
Warren Block wrote:

> On Thu, 23 Jan 2014, dteske@FreeBSD.org wrote:
> 
> >> From: RW [mailto:rwmaillists@googlemail.com]
> >> Note that awk supports +, but not newfangled things like *.
> >
> > With respect to regex, what awk really needs is the quantifier
> > syntax...
> >
> > * = {0,} = zero or more
> > + = {1,} = one or more
> > {x,y} = any quantity from x inclusively up to y
> > {x,} = any quantity from x or more
> 
> I think RW meant to type that awk did not have the newfangled "?" for 
> non-greedy matches.

No I meant it doesn't support *, which had been used in all the
previous awk examples in this thread, and would have been
interpreted as a literal "*". 

$ echo "sid:2008120; re" | awk ' {match($0,/[0-9]+/) ; \
        s=substr($0,RSTART,RLENGTH) ; print "_",s,"_"} '
_ 2008120 _
21:12 (bob) ~
$ echo "sid:2008120; re" | awk ' {match($0,/[0-9]*/) ; \
        s=substr($0,RSTART,RLENGTH) ; print "_",s,"_"} '
_  _


On Thu, 23 Jan 2014 12:20:26 -0800
dteske@FreeBSD.org wrote:

> 1. sig-msg.map file according to OP shouldn't have the quotes that are
> present from the snort rule input
> 2. Doesn't ignore lines of disinterest

I know nothing about snort - I was just going on the previous posts,
but FWIW removing the quotes is just a matter of changing:
 
    msg = substr($0,RSTART+4, RLENGTH-5)

to 

    msg = substr($0,RSTART+5, RLENGTH-6)



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20140123213352.5f289890>