Thanks, I tried the curly brakets, but it kept pulling the udp/tcp string in the output. Now I know.
Kind Regards, Ben Cooper On 10/12/2010 10:16, Adrian Popa wrote: > The technically correct regex would be: > > my ($ip_list) = $line=~m/alert (?:udp|tcp) \$HOME_NET any \<\> > \[([^\]]+)\]/; > > Your regex might match "ucdup" as a string, which is not desired. If your > data is well formatted (and I suppose it is), it would still work, though > > Regards, > Adrian Popa > > On Fri, Dec 10, 2010 at 11:20 AM, Ben Cooper <[email protected]> wrote: > >> This only appears to pull out half the records: >> >>> > my ($ip_list) = $line=~m/alert tcp \$HOME_NET any \<\> \[([^\]]+)\]/; >> >> I did this: >> >>> my ($ip_list) = $line=~m/alert [udptcp]+ \$HOME_NET any \<\> >> \[([^\]]+)\]/; >> >> Correct me if I'm wrong (though excuse my poor regex). >> >> Kind Regards, >> >> Ben Cooper >> >> On 10/12/2010 08:49, José Manuel Agudo Cuesta wrote: >>> Hi, >>> >>> Only a minor modification is needed: >>> >>> 20,21c20 >>> < >>> < my ($ip_list) = $line=~m/alert ip \$HOME_NET any \-\> \[([^\]]+)\]/; >>> --- >>> > my ($ip_list) = $line=~m/alert tcp \$HOME_NET any \<\> \[([^\]]+)\]/; >>> >>> Best regards, >>> >>> Jose >>> >>> El 09/12/10 15:06, Lino Moragon escribió: >>>> Hi List, >>>> >>>> I'm using the great tool Nfsen for some time now and wanted to give the >>>> nfsen-botnet plugin a try. >>>> >>>> As I'm not very acquainted with perl and scripting in general I wanted >>>> to ask if somebody here has got a working conversion script that >>>> downloads the emerging-botcc.rules and converts it to a file usable for >>>> the program botnet_filter. >>>> >>>> I tried it with the example script get_botnets_emerging-botcc included >>>> in the nfsen-botnet-0.3.tar.gz tarball. But I unfortunately failed cause >>>> the script isn't giving me any output at all. >>>> I'm invoking it like: ./get_botnets_emerging-botcc emerging-botcc.rules. >>>> The rules I downloaded from >>>> http://rules.emergingthreats.net/blockrules/emerging-botcc.rules >>>> >>>> Has anyone got a working script? Any help would be greatly apreciated. >>>> >>>> Kind regards >>>> Lino >>>> >>>> >>>> >> ------------------------------------------------------------------------------ >>>> This SF Dev2Dev email is sponsored by: >>>> >>>> WikiLeaks The End of the Free Internet >>>> http://p.sf.net/sfu/therealnews-com >>>> _______________________________________________ >>>> Nfsen-discuss mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >>>> >>> >>> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Nfsen-discuss mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/nfsen-discuss >> > ------------------------------------------------------------------------------ _______________________________________________ Nfsen-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/nfsen-discuss
