使用正则表达式解析 Snort 警报文件 [英] Parsing Snort Alert File with Regex
本文介绍了使用正则表达式解析 Snort 警报文件的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试在 Python 中使用正则表达式从 snort 警报文件中解析出源、目标(IP 和端口)和时间戳.示例如下:
I'm trying to use regex in Python to parse out the source, destination (IPs and ports) and the time stamp from a snort alert file. Example as below:
03/09-14:10:43.323717 [**] [1:2008015:9] ET MALWARE User-Agent (Win95) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.116.194:28692 -> 205.181.112.65:80
我有一个 IP 的正则表达式,但由于 IP 中的端口,它没有正确触发.如何将端口与 IP 分开?
I have a regex for the IP, but it doesn't fire correctly because of the port in the IP. How can I get the port separate from the IP?
^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$
推荐答案
这应该从整行中提取必要的部分:
This should extract the necessary parts from the full line:
r'([0-9:./-]+)\s+.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\s+->\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})'
看这个例子:
In [22]: line = '03/09-14:10:43.323717 [**] [1:2008015:9] ET MALWARE User-Agent (Win95) [**] [Classification: A Network Trojan was detected] [Priority: 1] {TCP} 172.16.116.194:28692 -> 205.181.112.65:80'
In [23]: m = re.match(r'([0-9:./-]+)\s+.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\s+->\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})', line)
In [24]: m.group(1)
Out[24]: '03/09-14:10:43.323717'
In [25]: m.group(2)
Out[25]: '172.16.116.194'
In [26]: m.group(3)
Out[26]: '28692'
In [27]: m.group(4)
Out[27]: '205.181.112.65'
In [28]: m.group(5)
Out[28]: '80'
这篇关于使用正则表达式解析 Snort 警报文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文