如何从以下数据中提取msg,sid:
alert tcp any any -> any any (msg: "this is a "dummy" rule (to test) the rule"; flow:to server; sid:1233; rev:1; no case; content: "nothing";)
输出应该是:
这是一个"虚拟"规则(测试)规则| 1233
答案 0 :(得分:1)
您可能想尝试使用sed:
sed 's/.*msg: "\([^;]*\)";.*sid:\([0-9]*\).*/\1|\2/' file
它使用反向引用捕获并输出所需的字符串。
答案 1 :(得分:1)
试试这个 -
awk -F'[:;]' '{print substr($2,3,(length($2)-3)),"| " $6}' f
this is a "dummy" rule (to test) the rule | 1233
或
awk -F'[:;]' '{print substr($2,3,(length($2)-3)),v OFS $6}' v="|" f
this is a "dummy" rule (to test) the rule | 1233
或
awk -v OFS=" | " -F'[:;]' '{gsub(/^[ "]+|["]+$/,"",$2);print $2 OFS $6}' f
this is a "dummy" rule (to test) the rule | 1233
答案 2 :(得分:1)
假设:
$ echo "$txt"
alert tcp any any -> any any (msg: "this is a "dummy" rule (to test) the rule"; flow:to server; sid:1233; rev:1; no case; content: "nothing";)
您可以使用Bash正则表达式:
$ [[ $txt =~ msg:\ \"([^;]*)\"\;.*sid:([^;]*) ]] &&
printf "%s | %s" "${BASH_REMATCH[1]}" "${BASH_REMATCH[2]}"
this is a "dummy" rule (to test) the rule | 1233
答案 3 :(得分:0)
我会选择Perl,因为它支持非贪婪的运算符,并且在所有平台(可移植)中都可以正常工作:
$ echo "$b"
alert tcp any any -> any any (msg: "this is a "dummy" rule (to test) the rule"; flow:to server; sid:1233; rev:1; no case; content: "nothing";)
$ echo "$b" |perl -pe 's/(.*msg: ?)(.*?)(\;.*?).*sid:(.*?)\;.*/\2|\4/'
"this is a "dummy" rule (to test) the rule"|1233
还有一个awk - 仅限GNU awk:
$ echo "$b" |awk '{match($0,/(.*msg: )(\".+\"[^;]*)(.*sid:)(.[^;]*)/,a);print a[2] "|" a[4]}'
"this is a "dummy" rule (to test) the rule"|1233
答案 4 :(得分:0)
我尝试使用awk并拆分功能:
awk -F ';' '
{
for(i=1;i<=NF;i++)
{
if(match($i,"msg")>0)
{
split($i, array2, ":")
message=array2[2]
}
}
print message
}' >> $file
完成
并为我工作得很好。
答案 5 :(得分:0)
awk -F\" '{print $2,$3,$4" | " substr($5,23,4)}' OFS='"' file
this is a "dummy" rule (to test) the rule | 1233