user3498593
Reputation: 95
Python Regex Parser
I need to fine tune the following regex. Right now it gives me srcip, dstip, srcport, dstport and date. I need it to also give me the protocol (UDP, TCP). Here is the line it needs to parse:
03/09-13:00:59.136048 [**] [1:2003410:9] ET POLICY FTP Login Successful [**] [Classification: Misc activity] [Priority: 3] {TCP} 172.16.112.100:21 -> 206.48.44.18:1039
Here is my current regex:
([0-9/]+)-([0-9:.]+)\s+.*?(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})\s+->\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d{1,5})
Additionally, it needs to be able to handle requests that have no ports associated with them (like ICMP):
03/09-13:57:26.523602 [**] [1:2100368:7] GPL ICMP_INFO PING BSDtype [**] [Classification: Misc activity] [Priority: 3] {ICMP} 172.16.114.50 -> 172.16.112.207
Upvotes: 1
Views: 109
Answers (1)
10100111001
Reputation: 1832
This regex should work with what you want:
([0-9\/]+)-([0-9:.]+)\s+.*?\s\{(\w+)\}\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):?(\d{1,5})?\s+->\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):?(\d{1,5})?
I have added \s\{(\w+)\}\s to match the protocol. I also made the protocol and the colon preceding it optional.
Upvotes: 1
Related Questions
- Parsing logs using regex
- Parse messages from multiline string in python
- Parsing Snort Alert File with Regex
- python parse string with rules
- Reading/Parsing Snort Alert File Using Python
- Regex in Python 2.7 for extraction of information from Snort log files
- Parsing Snort Logs with PyParsing
- python regexp parse
- More pythonic regex parse
- Python regex parsing