From owner-freebsd-questions@FreeBSD.ORG Thu Jan 23 21:57:28 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BEAE933F; Thu, 23 Jan 2014 21:57:28 +0000 (UTC) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 85249109F; Thu, 23 Jan 2014 21:57:28 +0000 (UTC) Received: from smarthost.fisglobal.com ([10.132.206.191]) by ltcfislmsgpa02.fnfis.com (8.14.5/8.14.5) with ESMTP id s0NLvQO6025047 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 23 Jan 2014 15:57:26 -0600 Received: from THEMADHATTER (10.242.181.54) by smarthost.fisglobal.com (10.132.206.191) with Microsoft SMTP Server id 14.3.174.1; Thu, 23 Jan 2014 15:57:24 -0600 From: Sender: Devin Teske To: "'RW'" , References: <20140123185604.4cbd7611@gumby.homeunix.com> <04a201cf1878$8ebce540$ac36afc0$@FreeBSD.org> <20140123213352.5f289890@gumby.homeunix.com> In-Reply-To: <20140123213352.5f289890@gumby.homeunix.com> Subject: RE: awk programming question Date: Thu, 23 Jan 2014 13:57:20 -0800 Message-ID: <04bd01cf1886$1844f390$48cedab0$@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQImboywfYAMtXakWRoTJ2P0ROJwWwJr8ryGAjfseSYDBtd9AwHDspKgALGSJniZkyqbIA== Content-Language: en-us X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-01-23_05:2014-01-23,2014-01-23,1970-01-01 signatures=0 Cc: 'Devin Teske' X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Jan 2014 21:57:28 -0000 > -----Original Message----- > From: RW [mailto:rwmaillists@googlemail.com] > Sent: Thursday, January 23, 2014 1:34 PM > To: freebsd-questions@freebsd.org > Subject: Re: awk programming question > > On Thu, 23 Jan 2014 13:57:03 -0700 (MST) Warren Block wrote: > > > On Thu, 23 Jan 2014, dteske@FreeBSD.org wrote: > > > > >> From: RW [mailto:rwmaillists@googlemail.com] > > >> Note that awk supports +, but not newfangled things like *. > > > > > > With respect to regex, what awk really needs is the quantifier > > > syntax... > > > > > > * = {0,} = zero or more > > > + = {1,} = one or more > > > {x,y} = any quantity from x inclusively up to y {x,} = any quantity > > > from x or more > > > > I think RW meant to type that awk did not have the newfangled "?" for > > non-greedy matches. > > No I meant it doesn't support *, which had been used in all the previous awk > examples in this thread, and would have been interpreted as a literal "*". > > $ echo "sid:2008120; re" | awk ' {match($0,/[0-9]+/) ; \ > s=substr($0,RSTART,RLENGTH) ; print "_",s,"_"} ' > _ 2008120 _ > 21:12 (bob) ~ > $ echo "sid:2008120; re" | awk ' {match($0,/[0-9]*/) ; \ > s=substr($0,RSTART,RLENGTH) ; print "_",s,"_"} ' > _ _ > Awk does support "*" but you have to give match() something to "anchor" to. For example... $ echo "sid:2008120; re" | awk '{match($0,/[0-9][0-9]*/); \ s=substr($0,RSTART,RLENGTH); print "_",s,"_"}' _ 2008120 _ > > On Thu, 23 Jan 2014 12:20:26 -0800 > dteske@FreeBSD.org wrote: > > > 1. sig-msg.map file according to OP shouldn't have the quotes that are > > present from the snort rule input 2. Doesn't ignore lines of > > disinterest > > I know nothing about snort - I was just going on the previous posts, but > FWIW removing the quotes is just a matter of changing: > > msg = substr($0,RSTART+4, RLENGTH-5) > > to > > msg = substr($0,RSTART+5, RLENGTH-6) The match() that preceded that (going back in the thread) was: match($0, /msg:[^;]+;/ That was bad for a couple reasons. 1. The msg could be the last property in the ( ... ) set, meaning the msg would either be NULL or contain too much (go beyond the terminating parenthetical and on to the next semi-colon 2. If the msg is not double-quoted, you'll end up shaving the first and last byte unexpectedly. Hence why I test the first byte of the msg and then split on a conditional field separator, later extracting the appropriate field based on traditional parsing logic (which a little googling helped when it came to finding out how simple vs. complex the snort rules file was). -- Devin _____________ The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.