From owner-freebsd-questions@FreeBSD.ORG Thu Jan 23 21:33:56 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 25FA116E for ; Thu, 23 Jan 2014 21:33:56 +0000 (UTC) Received: from mail-wg0-x22f.google.com (mail-wg0-x22f.google.com [IPv6:2a00:1450:400c:c00::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AE9341E41 for ; Thu, 23 Jan 2014 21:33:55 +0000 (UTC) Received: by mail-wg0-f47.google.com with SMTP id m15so2138980wgh.26 for ; Thu, 23 Jan 2014 13:33:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=us47Egbm2gEuQPHZuDhuwIq+OPZ7/ArJXfMm7GjG0tA=; b=A15W0hsbxqTPXiwUpFCRLyIPdgPSAW+sRQsCImb9G3iHRT5TBAwNIRTyO2Txs8afpH LOi9VQO5qIvaLfsSvpSRdVpGN/xUtDnh97Q09bZYJpH+2SIZ+kXSvZyAMWb6B8UCVKmr APLuNZYW1YLUb4hAfiVg/0nypkR/rs9p5mIDZaR98DikLswh8wMBvGI7Js0Tnhqjdlly lvY7jXCUDKS6vsPocZpnsaVqWfmMqxSN9Jk/srUNhA/M8TLkLwefJDLmsBUh+hIVSJ1l 2vfVrGgt2M3ADNm6ThmxzrCXdgF7QjkoH8MYftmYyPPfk/mPVdbMo5hDN/glEMRvaFwM /fLQ== X-Received: by 10.181.12.76 with SMTP id eo12mr761392wid.19.1390512833685; Thu, 23 Jan 2014 13:33:53 -0800 (PST) Received: from gumby.homeunix.com (87-194-112-13.bethere.co.uk. [87.194.112.13]) by mx.google.com with ESMTPSA id hv3sm988231wib.5.2014.01.23.13.33.52 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Thu, 23 Jan 2014 13:33:53 -0800 (PST) Date: Thu, 23 Jan 2014 21:33:52 +0000 From: RW To: freebsd-questions@freebsd.org Subject: Re: awk programming question Message-ID: <20140123213352.5f289890@gumby.homeunix.com> In-Reply-To: References: <20140123185604.4cbd7611@gumby.homeunix.com> <04a201cf1878$8ebce540$ac36afc0$@FreeBSD.org> X-Mailer: Claws Mail 3.9.3 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2014 21:33:56 -0000 On Thu, 23 Jan 2014 13:57:03 -0700 (MST) Warren Block wrote: > On Thu, 23 Jan 2014, dteske@FreeBSD.org wrote: > > >> From: RW [mailto:rwmaillists@googlemail.com] > >> Note that awk supports +, but not newfangled things like *. > > > > With respect to regex, what awk really needs is the quantifier > > syntax... > > > > * = {0,} = zero or more > > + = {1,} = one or more > > {x,y} = any quantity from x inclusively up to y > > {x,} = any quantity from x or more > > I think RW meant to type that awk did not have the newfangled "?" for > non-greedy matches. No I meant it doesn't support *, which had been used in all the previous awk examples in this thread, and would have been interpreted as a literal "*". $ echo "sid:2008120; re" | awk ' {match($0,/[0-9]+/) ; \ s=substr($0,RSTART,RLENGTH) ; print "_",s,"_"} ' _ 2008120 _ 21:12 (bob) ~ $ echo "sid:2008120; re" | awk ' {match($0,/[0-9]*/) ; \ s=substr($0,RSTART,RLENGTH) ; print "_",s,"_"} ' _ _ On Thu, 23 Jan 2014 12:20:26 -0800 dteske@FreeBSD.org wrote: > 1. sig-msg.map file according to OP shouldn't have the quotes that are > present from the snort rule input > 2. Doesn't ignore lines of disinterest I know nothing about snort - I was just going on the previous posts, but FWIW removing the quotes is just a matter of changing: msg = substr($0,RSTART+4, RLENGTH-5) to msg = substr($0,RSTART+5, RLENGTH-6)