python - Parsing Snort Logs with PyParsing -


There is a problem parsing the snort log using the pipering module.

The problem is with the separation of Snort, (which contains multiline entries, is different than a blank line) and expecting to work with each row to work with each row, To get pipering to parse each entry in the form of a whole section (obviously, it is not.)

I want to convert each section to a temporary string Has tried to take out new lines in each section, but it does not refuse to process correctly I can be completely on the wrong track, but I do not think so (syslog- Type works perfectly for logs, but they are one-line entries and therefore lend themselves in their original file iterator / line processing)

A sample of log and I have so far Of the ID: [**] [1: 486: 4] Unfair communication with ICMP destination destination host is prohibited from administration [**] [Classification: Miscellaneous activity] [Priority: 3] 08 / 03-07: 30: 02.233350 172.143.241.86 - & gt; 63.44.2.33 ICMP TTL: 61 TOS: 0xC0 ID: 49461 IpLen: 20 DgmLen: 88 Type: 3 Code: 10 Not Accessed Destination: Hostally Hosted Hosted Filter ** Original Datagram DUMP: 63.44.2.33:41235 - & Gt; 172.143.241.86:4949 TCP TTL: 61 TOS: 0x0 ID: 36212 IpLen: 20 DgmLen: 60 DF Seq: 0xF74E606 (more than 32 bytes of original packet) ** End of DUMP [**] ... and this [e.g.

and update code: 

  def snort_parse (logfile): press header = ("[**] [") + add (integer Press "+ integer +": "+ integer") ("]") + Regex (". *") + ("[**]") cls = Optional (press ("[Classification:") + Regex (".") + Press (")") Press Primary = ("[Priority:") + + Integer + (")") Date = Integer + "/" + Integer + "-" + Pu "+ +": "+ Integer +". + Pressing (integer) src_ip = ip_addr + pressing ("->") dest_ip = ip_addr ext = regex (". *") BNF = header + cls + pri + date + Src_ip + dest_ip + Extra def logreader (logfile): Open as snort_logfile (logfile) with fly = []: for line in snort_logfile: if line! = '\ N': line = line [: - 1] Chunk.Apend continues: Print part "". (Part) part = [] string_to_parse = "" .join (logfile) .next ()) fields = bnf.parseString (string_to_parse) Print areas

Any help, Signs, RTFMs, you're doing this wrong, etc., much appreciated.

pyparsing import as imported itertools integer = pyp.Word (pyp.nums) ip_addr = Pyp.combine (integer + '.' + Integer + '.' + Integer + '.' + Integer) def s nort_parse (logfile): header = (pyp.Suppress ("[**] [") + pyp Combine (integer + ":" + integer + ":" + integer) + pyp.Suppress (pyp.SkipTo ("[**]", included = true))) CLS = (pyp.Suppress (pyp.Optional (pyp) ("[Classification:")) + pyp.Regex ("[^]] *") + Pip (integer + "/" + integer + '-' + integer + ':' clamp '(') ' )) Pvt. Pip. Second ("[priority:") + integer + Pip. Suppress ("]") date = pyp.Combine (integer + integer + ':' '.' + Integer + integer) src_ip = ip_addr + pyp.Suppress ( "- & gt;" dest_ip = ip_addr BNF = header + cls + pri + date + src_ip + open (dest_ip with logfile) as snort_logfile: For istotools.groupby (snort_logfile, key = lambda x: bool (x.strip) ())): If has_content: tmpStr = '' .join (grp) fields = bnf.searchString (tmpStr) print (field)) Snort_parse ('snort_file')

yields 

  [['1: 486: 4', 'Various works Vity', '3', '08 / 033/07/02/133 '50, '172.143.241.86', '63. 44.2.33 ']]

-

Comments

Post a Comment

Popular posts from this blog

Eclipse CDT variable colors in editor -

I hope this is a good question to ask here. This programming is related, so I thought it would be better than the superuser, so I am using the CDT C ++ Eclipse plugin. I know how the editor changes colors for some things But is there a way to do that all the variables are different colors? For example in KDEValue, it sets the local variables and square variables in different colors and bold square squares. Can I copy it to CDT? Eclips provides some level of color customization for text editor syntax You can see it on the following: There are many elements, including the Window> Preferences> C / C ++> Editor> Syntax color code that can be changed, assembly, Comments, Preprocessor and Doxian Under the code, it is possible to change the color of some variable types, such as global variables, local variable announcements, local variable references, and parameter variables. But I do not think the code is capable of changing the color of each variable declared....
Read more

AJAX doesn't send POST query -

$ (दस्तावेज़) .ready (function () {function ajaxselectrss (rssurlvar) {var ajaxRequest; // वेरिएबल जो अजाक्स को संभव बनाता है! कोशिश करें कि {// ओपेरा 8.0+, फ़ायरफ़ॉक्स, सफारी अजाक्स अनुरोध} = नया एक्सएमएलएचटीपीआरइवेस्ट ();} कैच (ई) {// इंटरनेट एक्सप्लोरर ब्राउज़र्स {ajaxRequest = new ActiveXObject ("Msxml2.XMLHTTP");} पकड़ो (ई) {try {ajaxRequest = new ActiveXObject ("Microsoft.XMLHTTP");} कैच (ई) {// कुछ गलत चेतावनी ("आपका ब्राउज़र तोड़ दिया!"); वापसी झूठी;}}} // एक बनाएं फ़ंक्शन जो सर्वर से भेजे गए डेटा प्राप्त करेंगे ajaxRequest.onreadystatechange = function () {if (ajaxRequest.readyState == 4) {var ajaxDisplay = document.getElementById ('news'); ajaxDisplay.innerHTML = ajaxRequest.responseText;}} / / Var rssurlvar = $ (this) .attr ("title"); var queryString = "rurl =" + rssurlvar; var urltofile = "rssget.php"; ajaxRequest.open ("पोस्ट", urltofile, सच); ajaxRequ Est.setRequestHeader ("सामग्री-प्र...
Read more

wpf - Custom Message Box Advice -

Well, I'm using a custom window box that comes with some custom control boxes that accompany the text The producers who are displayed are called. I have a defined event, which has been subscribed through the original class, it gets burnt when clicking on the button. However, I can not see how to use it effectively, I would like to return one yes, whether yes or not, but obviously my code will continue to execute, so this Below is some example code to clarify the problem that the method has subscibed by clicking on the button. Message box window Public partial class custom message box: window {public representative message messagebox object sender, event events e); Public event messagebox handler messagebox document; Public Customs Box () {Initial group (); } Public Customsbox (String Message) {InitializeComponent (); This.txtdescription.Text = Message; } Public Customsbox (String Message, String Title, String First BTNtext) {Initialization (); This.lbltitle.Content =...
Read more