CODEWITHSUNDEEP
javascriptnode.jsregex
Pomdre
Pomdre

Reputation: 35

Check if string is matching

How can I find out how many times an ip address has been logged?

What I think is this

To this

syslog_2019-05-15.txt looks like this

DROP IN=eth0 OUT= MAC=38:2c:4a:cb:e2:40:10:e8:78:aa:89:ba:08:00 SRC=92.53.90.242 DST=90.149.222.18 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=37773 PROTO=TCP SPT=59155 DPT=1027 SEQ=1687374236 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
192.168.1.1 May 14 00:01:44 kern warning kernel DROP IN=eth0 OUT= MAC=38:2c:4a:cb:e2:40:10:e8:78:aa:89:ba:08:00 SRC=185.216.140.6 DST=90.149.222.18 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=TCP SPT=5

Code:

var fs = require('fs');

fs.readFile('C:/Users/sondr/Desktop/koder/Ip_søk_syslog/syslog_2019-05-15.txt', 'utf8', function(err, data) {
  if (err) throw err; {

    //count
    var count = 0;

    //ReEX
    const reg = /\bSRC=([\.0-9]+)\b/g;

    while ((m = reg.exec(data))) {
      console.log("SRC= " + m[1])
      console.log(++count);
    }

    // DEBUG:
    //console.log(data);
  }
});

Upvotes: 0

Views: 130

Answers (3)

Francis Leigh
Francis Leigh

Reputation: 1960

Loop through the IP addresses and save the address as a key to an Object, if you iterate through an already existing IP within the tracker Object you can take it's value and increment it by 1 or default it to 1 if it doesn't exist as that will be the first time you come across that IP.

const data = [
  '192.168.1.254', 
  '192.168.1.254',
  '192.168.1.254', 
  '192.168.1.254', 
  '192.168.1.254',
  '10.40.89.79'
]

const tracker = {}

data.forEach(d => {
  const count = d in tracker ? ++tracker[d] : 1
  tracker[d] = count
})

Object.keys(tracker).forEach(k => console.log(`${k} (${tracker[k]})`))

I found an IP Address regex online to run match on against your log and then run the same functionality against the matches.

const reg = /\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g
const str = `DROP IN=eth0 OUT= MAC=38:2c:4a:cb:e2:40:10:e8:78:aa:89:ba:08:00 SRC=92.53.90.242 DST=90.149.222.18 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=37773 PROTO=TCP SPT=59155 DPT=1027 SEQ=1687374236 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
192.168.1.1 May 14 00:01:44 kern warning kernel DROP IN=eth0 OUT= MAC=38:2c:4a:cb:e2:40:10:e8:78:aa:89:ba:08:00 SRC=185.216.140.6 DST=90.149.222.18 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=TCP SPT=5`

const data = str.match(reg) || []
const tracker = {}

data.forEach(d => {
  const count = d in tracker ? ++tracker[d] : 1
  tracker[d] = count
})

Object.keys(tracker).forEach(k => console.log(`${k} (${tracker[k]})`))

It may be that you can find a better Regex online, If so let me know! :-) UPDATE i saw @Kunal 's Regex which looks good.

Elaborate on this further and build a Function that takes a regex and a string and returns the occurrences of that string against the Regex.

const GET_OCCURRENCE = (r = /no args/g, str = 'no args') => {
  const data = str.match(r) || []
  const tracker = {}
  let rtnStr = ''
  
  data.forEach(d => {
    const count = d in tracker ? ++tracker[d] : 1
    tracker[d] = count
  })
  
  return [
    Object.keys(tracker).reduce((rtn, k) => rtn+=` \n${k} (${tracker[k]})`, ''),
    tracker
  ]
 
}

const [IPS, IPS_OBJ] = GET_OCCURRENCE(/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g, `DROP IN=eth0 OUT= MAC=38:2c:4a:cb:e2:40:10:e8:78:aa:89:ba:08:00 SRC=92.53.90.242 DST=90.149.222.18 LEN=40 TOS=0x00 PREC=0x00 TTL=243 ID=37773 PROTO=TCP SPT=59155 DPT=1027 SEQ=1687374236 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0
192.168.1.1 May 14 00:01:44 kern warning kernel DROP IN=eth0 OUT= MAC=38:2c:4a:cb:e2:40:10:e8:78:aa:89:ba:08:00 SRC=185.216.140.6 DST=90.149.222.18 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=TCP SPT=5`)
console.log(IPS, IPS_OBJ)


const [LETTERS, LETTERS_OBJ] = GET_OCCURRENCE(/[azi]/g, 'bhfgdakdfjsihjkzzjkdldfaajjii')
console.log(LETTERS, LETTERS_OBJ)

Upvotes: 2

Kunal Mukherjee
Kunal Mukherjee

Reputation: 5853

For simple IP addresses you can use this regex: (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

Breakdown of the Regex:

  • \d matches a digit 0-9, the IP octet can be a minimum of 1 to a maximum of 3 in length.
  • The . period is escaped by \.
  • This is repeated 4 times.

const pattern = /(\d{1,}\.\d{1,}\.\d{1,}\.\d{1,})/gm;
const str = `192.168.1.1 May 14 00:01:44     kern    warning kernel  DROP IN=eth0 OUT= MAC=38:2c:4a:cb:e2:40:10:e8:78:aa:89:ba:08:00 SRC=185.216.140.6 DST=90.149.222.18 LEN=40 TOS=0x00 PREC=0x00 TTL=248 ID=54321 PROTO=TCP SPT=5`;

let matchMap = new Map();

let match;

while ((match = pattern.exec(str))) {

  // Get the first captured group
  let group = match[1];

  // If the map doesn't contain the group set its count to 1
  if (!matchMap.has(group)) {
    matchMap.set(group, 1);
  }

  // Else increment the count
  else {
    matchMap.set(group, matchMap.get(group) + 1);
  }
}

// Iterate over the match map now
for (const [key, val] of matchMap) {
  console.log(key + ' -> ' + val);
}

Upvotes: 0

kcode
kcode

Reputation: 402

If I understood correctly, you want to get all of the ip-adresses from a string and then stack them (duplicates removed). So this regex:

^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$

Can check of ip-addresses. Now using the replace method, we can get all of the regex matches. Then we can loop through them and remove duplicates. Look at this code:

var str = something;
var IPs = [];
str.replace(
    /^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$/gi,
    function(match) {
        IPs[IPs.length] = match;
        return match;
    }
);
var stackedIPs = {};
for (i = 0; i < IPs.length; i++) {
    if (stackedIPs[IPs[i]] == null) {
        stackedIPs[IPs[i]] = 1;
    } else {
        stackedIPs[IPs[i]] = stackedIPs[IPs[i]] + 1;
    }
}

StackedIPs will give you an object that looks like this:

{
    192.168.1.1: 3,
    192.168.1.5: 2,
    ...
}

Where the number assigned to each IP address is the amount of times it was found.

Upvotes: 0

Related Questions