Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Returning only part of a line when grepping

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Returning only part of a line when grepping
# 1  
Old 04-05-2010
Returning only part of a line when grepping
I want to grep out a part of a snort rule based on the SID given, but all i want as the output is the part in the quotes after the msg: An example line looks something like this:

alert tcp any any -> 127.0.0.1 any (msg:"Example Message"; classtype:Example; sid:123456;)

I would want it to only show Example Message.

Any help is appreciated.

Thanks!

~Riott
# 2  
Old 04-05-2010
Code:
$ sid=123456
$ echo 'alert tcp any any -> 127.0.0.1 any (msg:"Example Message"; classtype:Example; sid:123456;)' |
> sed "/.*$sid/s/.*msg:\([^;]*\);.*/\1/"
"Example Message"

# 3  
Old 04-05-2010
Here's a Perl solution:

Code:
$
$ # show the content of the log file
$ cat -n f8
     1  blah
     2  alert tcp any any -> 127.0.0.1 any (msg:"Example Message"; classtype:Example; sid:123456;)
     3  blah blah
$
$ SID=123456
$
$ # Perl one-liner
$ perl -lne "/.*msg:\"(.*)\".*sid:$SID/ && print \$1" f8
Example Message
$
$

tyler_durden
# 4  
Old 04-05-2010
Sorry.. after receiving the replies, I realized that I left out a main part. lol.

The sid's are stored in a file where each one is listed one per line, like so:

154987
198786
387984
978165
...

I'm grepping the snort rules file through all of the rules therein for the matching sid's, and all I want is the message. Sorry for not being more clear. So far I have:

grep -f sids /data/snort/snort.rules

and was wondering what to pipe it into to return only the message. I can see that it will probably be sed, but I'm not good with regular expressions. Sorry again for not being more clear on my problem, and thank you guys for already trying to help.

~Riott
# 5  
Old 04-05-2010
Code:
$
$
$ # show the content of file "snort.rules"
$ cat snort.rules
blah
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 1"; classtype:Example; sid:154987;)
blah blah
blah
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 2"; classtype:Example; sid:198786;)
blah blah
blah
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 3"; classtype:Example; sid:387984;)
blah blah
blah
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 4"; classtype:Example; sid:123456;)
blah blah
blah
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 5"; classtype:Example; sid:978165;)
blah blah
blah
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 6"; classtype:Example; sid:654321;)
blah blah
$
$ # show the content of file "sids"
$ cat sids
154987
198786
387984
978165
$
$ # search and print all lines in file "snort.rules" that match the sids in file "sids"
$ grep -f sids snort.rules
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 1"; classtype:Example; sid:154987;)
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 2"; classtype:Example; sid:198786;)
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 3"; classtype:Example; sid:387984;)
alert tcp any any -> 127.0.0.1 any (msg:"Example Message 5"; classtype:Example; sid:978165;)
$
$ # extract the message part from the result above, by using sed
$ grep -f sids snort.rules | sed 's/.*msg:"\(.*\)\".*/\1/'
Example Message 1
Example Message 2
Example Message 3
Example Message 5
$
$ # extract the message part from the result above, by using Perl
$ grep -f sids snort.rules | perl -plne 's/.*msg:"(.*)".*/$1/'
Example Message 1
Example Message 2
Example Message 3
Example Message 5
$
$

tyler_durden
# 6  
Old 04-05-2010
It worked! Thanks tyler! Smilie
# 7  
Old 04-05-2010
awk only.
Code:
awk -F'[":;]' 'NR==FNR{a[$0];next}NF && $(NF-1) in a{print $3}' sids snort.rules
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Finding pattern in a text file and returning a part of the word

Dear All, assume that we have a text file or a folder of files, I want to find this pattern followers*.csv in the text file , and get * as the output. There are different matches and * means every character. Thank you in advance. Best, David (1 Reply)
Discussion started by: davidfreed
1 Replies

2. Shell Programming and Scripting

[Solved] Printing a part of the last line of the specific part of a file

Hi, I have 80 large files, from which I want to get a specific value to run a Bash script. Firstly, I want to get the part of a file which contains this: Name =A xxxxxx yyyyyy zzzzzz aaaaaa bbbbbb Value = 57 This is necessary because in a file there are written more lines which... (6 Replies)
Discussion started by: wenclu
6 Replies

3. Shell Programming and Scripting

Grepping file and returning passed variable if the value does not exist in file at all.

I have a list of fields that I want to check a file for, returning that field if it not found at all in the file. Is there a way to do a grep -lc and return the passed variable too rather then just the count? I am doing some crappy work-around now but I was not sure how to regrep this for :0 so... (3 Replies)
Discussion started by: personalt
3 Replies

4. UNIX for Dummies Questions & Answers

Grepping nth line number

How do you grep every nth line number from a file? (2 Replies)
Discussion started by: shabs1985
2 Replies

5. UNIX for Dummies Questions & Answers

Help with grepping and line number

I need help with extracting data from a large file ~900mb. Below is how the data looks like, line number value 1001 10000 ... ... 5001 50000 6001 60000 ... ... 10001 100000 ... ... 100001 ... (3 Replies)
Discussion started by: shabs1985
3 Replies

6. Shell Programming and Scripting

BASH: Grepping/sedding/etc out part of a file... (from one word to 'blank' line)

I have a file that lists data about a system. It has a part that can look like: the errors I'm looking for with other errors: Alerts Password Incorrect Login Error Another Error Another Error 2 Other Info or, just the errors I need to parse for: Alerts Password Incorrect ... (9 Replies)
Discussion started by: elinenbe
9 Replies

7. Shell Programming and Scripting

reading line by line and grepping

I've got a file which I am reading line by line (using read line) into a variable. I then want to do a grep on that line to check for something. I've tried a number of methods none of which seem to work. I thought I had it with the code below but for some reason it doesn't like it and comes... (4 Replies)
Discussion started by: QueryMaster
4 Replies

8. Shell Programming and Scripting

Grepping 1 line above and below pattern

I have a pattern:: xldn3176bap>arj SOCRATES_MAIN_LNX | grep " FA " 10/04/2007 21:01 10/04/2007 21:01 FA 1776752/1 1 I want the line above this line and the line below it too. Can anyone tell me how it can be done? - iAm4Free (4 Replies)
Discussion started by: iAm4Free
4 Replies

9. Shell Programming and Scripting

grepping a part of filenames

Hi , I have a list of files in a directory and filename format is as follows: PQ223390 PQ876912 PQ768901 PQ398140 and so on I want to grep the first four digits of all the files after PQ, into a file. Ex: 2233 8769 6890 3981 and so on Can anyone tell me the command? thankx jazz (11 Replies)
Discussion started by: jazz
11 Replies

10. UNIX for Dummies Questions & Answers

grepping for something but excluding something else in the line

Ok heres the situation. I'm grepping for all running processes with the name system. but there are also processes running with the name systema. How do I just search for processes running just under the "system" user Thanks in advance (1 Reply)
Discussion started by: fusion99
1 Replies
Login or Register to Ask a Question