Register
It is currently Sat Oct 25, 2014 11:09 pm

awk/sed questions


All times are UTC - 6 hours


Post new topic Reply to topic  [ 4 posts ] 
Author Message
 PostPosted: Tue Feb 16, 2010 7:20 am   

Joined: Thu Oct 30, 2008 11:39 am
Posts: 8
Hi,

I have the following mod_security output:
[Tue Feb 16 09:21:58 2010] [error] [client 93.160.58.5] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)" against "RESPONSE_BODY" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "59"] [id "970903"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"] [hostname "app.appinux.com"] [uri "/PROD/scanjour/index.php"] [unique_id "bXAmd38AAAEAAGZgcdAAAAAB"]

Is there any way for me to get the id and uri values using awk and sed?

Please help

Thanks


Top
 Profile  
 PostPosted: Wed Feb 17, 2010 2:26 am   

Joined: Mon Nov 17, 2008 7:25 am
Posts: 221
If it's a sed and awk solution something like this might solve it:
Code:
sajko@hanna:~> awk -F']' 'NR>1&&$0=$1' RS='(id|uri) ' a.txt
"970903"
"/PROD/scanjour/index.php"
"bXAmd38AAAEAAGZgcdAAAAAB"

The last entry is just because the it contains id in UNIQUE_ID tag.

Code:
sajko@hanna:~> cat a.txt
[Tue Feb 16 09:21:58 2010] [error] [client 93.160.58.5] ModSecurity: Warning. Match of "rx (?:\\\\b(?:(?:i(?:nterplay|hdr|d3)|m(?:ovi|thd)|(?:ex|jf)if|f(?:lv|ws)|varg|cws)\\\\b|r(?:iff\\\\b|ar!B)|gif)|B(?:%pdf|\\\\.ra)\\\\b)" against "RESPONSE_BODY" required. [file "/etc/httpd/modsecurity.d/modsecurity_crs_50_outbound.conf"] [line "59"] [id "970903"] [msg "ASP/JSP source code leakage"] [severity "WARNING"] [tag "LEAKAGE/SOURCE_CODE"] [hostname "app.appinux.com"] [uri "/PROD/scanjour/index.php"] [unique_id "bXAmd38AAAEAAGZgcdAAAAAB"]
sajko@hanna:~> cat a.txt | cut -d'[' -f7 | cut -d ']' -f1
id "970903"
sajko@hanna:~> cat a.txt | cut -d'[' -f12 | cut -d ']' -f1
uri "/PROD/scanjour/index.php"


Here you have another solution without using sed/awk.

If you wish to clean the lines up abit using sed you can do this:
Code:
sajko@hanna:~> echo "uri \"/PROD/scanjour/index.php\"" | sed -e "s/^[^\"]\+\"\([^\"]\+\)\"/\1/"
/PROD/scanjour/index.php


Breaking down s/^[^\"]\+\"\([^\"]\+\)\"/\1/:
^[^\"]\+ This means to jump ahead to the first quotation mark ", this does not include it so the next sign needs to be ".
\([\"]\+\) Again, this means to jump ahead, but we also buffer it for the search-replace part.
\1 after a unescaped / means to use buffer 1 meaning the first () item in the previous search pattern (aka Grouping).

Best regards
Fredrik Eriksson


Top
 Profile  
 PostPosted: Wed Feb 17, 2010 7:11 am   

Joined: Thu Oct 30, 2008 11:39 am
Posts: 8
Hi,

I had no idea that awk can be used that way.

As for cleaning the lines, this can be done this way too:
Code:
echo "uri \"/PROD/scanjour/index.php\"" | sed "s/\"//g" | awk '{print $2}'


Thanks a lot for your help


Top
 Profile  
 PostPosted: Wed Feb 17, 2010 4:43 pm   

Joined: Mon Nov 17, 2008 7:25 am
Posts: 221
Ofcourse, you can always use cut to do it too :P
Code:
sajko@hanna:~> echo "uri \"/PROD/scanjour/index.php\"" | cut -d'"' -f2
/PROD/scanjour/index.php


Best regards
Fredrik eriksson


Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 6 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron


BashScripts | Promote Your Page Too
Powered by phpBB © 2011 phpBB Group
© 2003 - 2011 USA LINUX USERS GROUP