Skip to content

Instantly share code, notes, and snippets.

@sahglie

sahglie/gist:c1f5c1c73485dc7681d7

Created November 14, 2014 00:59
Show Gist options
  • Save sahglie/c1f5c1c73485dc7681d7 to your computer and use it in GitHub Desktop.
Save sahglie/c1f5c1c73485dc7681d7 to your computer and use it in GitHub Desktop.
Download ZIP
regex with named captures
Raw
gistfile1.rb
require 'time'
require 'pp'
ALERT_TOKENS_REGEX = /
<\d+>
(?<alert_ts>[a-zA-z]{3}\s\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})\s
.+\s
(?<name>SNS-ALERT-CAT[1-3].+)\s
{(?<protocol>.+)}\s
(?<src_ip>(?:\d+\.){3}\d+):(?<src_port>\d+)
\s->\s
(?<dst_ip>(?:\d+\.){3}\d+):(?<dst_port>\d+)
/x
def extract_key_values(alert)
md = alert.match(ALERT_TOKENS_REGEX)
return {} if md.nil?
kv = Hash[md.names.zip(md.captures)]
kv["alert_ts"] = Time.parse(kv["alert_ts"])
kv["raw_alert"] = alert
kv
end
alert = "<167>Nov 12 10:07:19 server.google.com snort[17632]: [1:2017609:1] SNS-ALERT-CAT2-WEB_SERVER_PHP_WebShell_Embedded_In_PNG_(INBOUND) {TCP} 2.22.222.222:80 -> 1.11.111.111:53231"
pp extract_key_values(alert)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment