Reading/Parsing Snort Alert File Using Python
Question
What is the best way of setting parts of a text file (snort alert) into separate variables?
eg "Snort Log Output"
08/17-11:41:07.350700 [**] [1:1000011:0] [*] [Priority: 0] {TCP} 192.168.0.1:24586 -> 192.168.0.8:53804
I need to set:
08/17-11:41:07.350700
192.168.0.1:24586
192.168.0.8:53804
to separate variables.
It is not essential, but I would like the possibility of reading/setting multiple alerts from the same file.
But first I would like to set only one alert.
2 answers
solution1
2 ACCPTED 2014-08-24 11:45:30
Parsing strings is often done using regular expressions. I recommend reading the re module documentation .
But in your case you could get away with the split() string method:
>>> s='08/17-11:41:07.350700 [] [1:1000011:0] [] [Priority: 0] {TCP} 192.168.0.1:24586 -> 192.168.0.8:53804'
>>> rec = s.split()
>>> rec
['08/17-11:41:07.350700', '[]', '[1:1000011:0]', '[]', '[Priority:', '0]', '{TCP}', '192.168.0.1:24586', '->', '192.168.0.8:53804']
>>> ts = rec[0]
>>> src = rec[6]
>>> dst = rec[7]
solution2
1
A variant on the theme.
#Python 2.7.3
snort = '08/17-11:41:07.350700 [**] [1:1000011:0] [*] [Priority: 0] {TCP} 192.168.0.1:24586 -> 192.168.0.8:53804'
(dt,x,x,x,x,x,x,ip1,x,ip2) = snort.split()
print (dt,ip1,ip2)
('08/17-11:41:07.350700', '192.168.0.1:24586', '192.168.0.8:53804')
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.