使用正则表达式解析 Snort 警报文件 [英] Parsing Snort Alert File with Regex

问题描述

我正在尝试在 Python 中使用正则表达式从 snort 警报文件中解析出源、目标(IP 和端口)和时间戳.示例如下:

I'm trying to use regex in Python to parse out the source, destination (IPs and ports) and the time stamp from a snort alert file. Example as below:

03/09-14:10:43.323717  [**] [1:2008015:9] ET MALWARE User-Agent (Win95) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.116.194:28692 -> 205.181.112.65:80

我有一个 IP 的正则表达式，但由于 IP 中的端口，它没有正确触发.如何将端口与 IP 分开?

I have a regex for the IP, but it doesn't fire correctly because of the port in the IP. How can I get the port separate from the IP?

^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$

推荐答案

这应该从整行中提取必要的部分:

This should extract the necessary parts from the full line:

r'([0-9:./-]+)\s+.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\s+->\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})'

看这个例子:

In [22]: line = '03/09-14:10:43.323717  [**] [1:2008015:9] ET MALWARE User-Agent (Win95) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.116.194:28692 -> 205.181.112.65:80'

In [23]: m = re.match(r'([0-9:./-]+)\s+.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\s+->\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})', line)

In [24]: m.group(1)
Out[24]: '03/09-14:10:43.323717'

In [25]: m.group(2)
Out[25]: '172.16.116.194'

In [26]: m.group(3)
Out[26]: '28692'

In [27]: m.group(4)
Out[27]: '205.181.112.65'

In [28]: m.group(5)
Out[28]: '80'

这篇关于使用正则表达式解析 Snort 警报文件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！