The technically correct regex would be: my ($ip_list) = $line=~m/alert (?:udp|tcp) \$HOME_NET any \<\> \[([^\]]+)\]/;
Your regex might match "ucdup" as a string, which is not desired. If your data is well formatted (and I suppose it is), it would still work, though Regards, Adrian Popa On Fri, Dec 10, 2010 at 11:20 AM, Ben Cooper <[email protected]> wrote: > This only appears to pull out half the records: > > > > my ($ip_list) = $line=~m/alert tcp \$HOME_NET any \<\> \[([^\]]+)\]/; > > I did this: > > > my ($ip_list) = $line=~m/alert [udptcp]+ \$HOME_NET any \<\> > \[([^\]]+)\]/; > > Correct me if I'm wrong (though excuse my poor regex). > > Kind Regards, > > Ben Cooper > > On 10/12/2010 08:49, José Manuel Agudo Cuesta wrote: > > Hi, > > > > Only a minor modification is needed: > > > > 20,21c20 > > < > > < my ($ip_list) = $line=~m/alert ip \$HOME_NET any \-\> \[([^\]]+)\]/; > > --- > > > my ($ip_list) = $line=~m/alert tcp \$HOME_NET any \<\> \[([^\]]+)\]/; > > > > Best regards, > > > > Jose > > > > El 09/12/10 15:06, Lino Moragon escribió: > >> Hi List, > >> > >> I'm using the great tool Nfsen for some time now and wanted to give the > >> nfsen-botnet plugin a try. > >> > >> As I'm not very acquainted with perl and scripting in general I wanted > >> to ask if somebody here has got a working conversion script that > >> downloads the emerging-botcc.rules and converts it to a file usable for > >> the program botnet_filter. > >> > >> I tried it with the example script get_botnets_emerging-botcc included > >> in the nfsen-botnet-0.3.tar.gz tarball. But I unfortunately failed cause > >> the script isn't giving me any output at all. > >> I'm invoking it like: ./get_botnets_emerging-botcc emerging-botcc.rules. > >> The rules I downloaded from > >> http://rules.emergingthreats.net/blockrules/emerging-botcc.rules > >> > >> Has anyone got a working script? Any help would be greatly apreciated. > >> > >> Kind regards > >> Lino > >> > >> > >> > ------------------------------------------------------------------------------ > >> This SF Dev2Dev email is sponsored by: > >> > >> WikiLeaks The End of the Free Internet > >> http://p.sf.net/sfu/therealnews-com > >> _______________________________________________ > >> Nfsen-discuss mailing list > >> [email protected] > >> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss > >> > > > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Nfsen-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >
------------------------------------------------------------------------------
_______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
