正则表达式DNS答案部分

时间:2019-01-03 19:29:17

标签: regex dns unbound

我已经尝试了一段时间以对未绑定日志中ANSWERS SECTION中的字段进行正则表达式。

此正则表达式仅提取“答案”部分中的最后一个条目:

(?:ANSWER\sSECTION:\s(?:(?<answer_name>\S+)#011(?<answer_ttl>\S+)#011(?<answer_class>\S+)#011(?<answer_type>\S+)#011(?<answer_rdata>\S+)\s)+\s\;\;)

此条目提取“答案”部分中的所有内容,但也泄漏到“权限”部分中

(?:(?<answer_name>\S+)#011(?<answer_ttl>\S+)#011(?<answer_class>\S+)#011(?<answer_type>\S+)#011(?<answer_rdata>\S+)\s)

我的目标是将每个答案分组在一起。关于如何在仍捕获重复组的同时将组限制为答案部分的任何想法?

日志:

 2019-01-02T17:34:19-05:00 10.10.30.1 unbound: [48511:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0  ;; QUESTION SECTION: gs-loc.ls-apple.com.akadns.net.#011IN#011A  ;; ANSWER SECTION: gs-loc.ls-apple.com.akadns.net.#01135#011IN#011A#01117.142.171.4 gs-loc.ls-apple.com.akadns.net.#01135#011IN#011A#01117.142.171.8 gs-loc.ls-apple.com.akadns.net.#01135#011IN#011A#01117.142.171.9  ;; AUTHORITY SECTION:  ;; ADDITIONAL SECTION: ;; MSG SIZE  rcvd: 96

 2019-01-02T17:34:42-05:00 10.10.30.1 unbound: [48511:0] info: cname msg ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0  ;; QUESTION SECTION: init-p01md.apple.com.#011IN#011A  ;; ANSWER SECTION: init-p01md.apple.com.#0119665#011IN#011CNAME#011init-p01md-lb.push-apple.com.akadns.net.  ;; AUTHORITY SECTION:  ;; ADDITIONAL SECTION: ;; MSG SIZE  rcvd: 91

 2019-01-02T18:52:01-05:00 10.10.30.1 unbound: [48511:0] info: msg from cache lookup ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 0  ;; QUESTION SECTION: amazonaws.com.#011IN#011DS  ;; ANSWER SECTION:  ;; AUTHORITY SECTION: xxxxxxxxxxxxxxxxxx.#01181254#011IN#011NSEC3#0111 1 0 - xxxxxxxxxxxxxxxxxxNS SOA RRSIG DNSKEY NSEC3PARAM ;{flags: optout} xxxxxxxxxxxxxxxxxx.com.#01181254#011IN#011RRSIG#011NSEC3 8 2 86400 20190107054258 20181231043258 37490 com. xxxxxxxxxxxxxxxxxx/2/xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx= ;{id = 37490} com.#011884#011IN#011SOA#011a.gtld-servers.net. nstld.verisign-grs.com. 1546473084 1800 900 604800 86400 com.#011884#011IN#011RRSIG#011SOA 8 1 900 20190109235124 20190102224124 37490 com. xxxxxxxxxxxxxxxxxx+xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx/xxxxxxxxxxxxxxxxxx

1 个答案:

答案 0 :(得分:1)

您可以使用

(?:\G(?!\A)\s*|ANSWER\sSECTION:)\s*(?<answer_name>\S+)#011(?<answer_ttl>\d+)#011(?<answer_class>\w+)#011(?<answer_type>\w+)#011(?<answer_rdata>\S+)

请参见regex demo

详细信息

  • (?:\G(?!\A)\s*|ANSWER\sSECTION:)-ANSWER SECTION:子字符串或上一个匹配项的末尾以及0+空格
  • \s*-超过0个空格
  • (?<answer_name>\S+)-将“ answer_name”分组:1个或多个非空格字符
  • #011-文字子字符串
  • (?<answer_ttl>\d+)-组“ answer_ttl”:1个或更多数字
  • #011-文字子字符串
  • (?<answer_class>\w+)-将“ answer_class”分组:1个或多个单词字符
  • #011-文字子字符串
  • (?<answer_type>\w+)-将“ answer_type”分组:1个或多个单词字符
  • #011-文字子字符串
  • (?<answer_rdata>\S+)-将“ answer_rdata”分组:1个或多个非空白字符。
相关问题
最新问题