• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 378
  • Last Modified:

Regex Optional Items

I am trying to parse the following text string example.  The variations of text strings make it necessary to have most of the string matches as optional.  Could anyone help me figure this out?
The (www.bob.com) is sometimes there and sometimes not and its location is often varied, but always comes after the first ip.


Sub Main1()
Dim s1 As String, A As String, B As String, S As String, D As String, N As String
Dim RegEx, RegO, Matches, SubM
    Set RegEx = CreateObject("vbscript.regexp")
    RegEx.Pattern = "(src outside:)(\d{1,3}\.\d{1,3}.\d{1,3}\.\d{1,3})(?:\/\d+\b)?\s{1}(\(.+?\))

    RegEx.Global = True
    s1 =  ":%PIX-4-402106: Deny tcp src outside:1.1.1.2/80 dst (www.bob.com) inside:123.124.129.123/5694 by access-group outside_access_in"

    Set RegO = RegEx.Execute(s1)
    For Each Matches In RegO
        Set SubM = Matches.submatches
        Select Case SubM(0)
            Case "src outside:"
                A = SubM(1)
                S = SubM(2)
            Case "remote:"
                B = SubM(1)
                D = SubM(2)
                   End Select
    Next
    MsgBox A & " " & S & vbNewLine & B & " " & D & vbNewLine & N
End Sub
0
brian_appliedcpu
Asked:
brian_appliedcpu
  • 5
  • 3
1 Solution
 
Dave BrettCommented:
Hi Brian,

The current pattern isn't matching the string as this portion, (?:\/\d+\b)?\s{1}(\(.+?\))
is looking for
/number... space...bracketed text
but the string is
/number... space..text.....bracketed text
/80 dst (www.bob.com)

if you try the pattern below, it will take anything after the /number and before the (text) as a wildcard

Sub Main1()
    Dim s1 As String, A As String, B As String, S As String, D As String, N As String
    Dim RegEx, RegO, Matches, SubM
    Set RegEx = CreateObject("vbscript.regexp")
    RegEx.Pattern = "(src outside:)(\d{1,3}\.\d{1,3}.\d{1,3}\.\d{1,3})(\/\d+\b)?.+?(\(.+?\))"
    RegEx.Global = True
    s1 = ":%PIX-4-402106: Deny tcp src outside:1.1.1.2/80 dst (www.bob.com) inside:123.124.129.123/5694 by access-group outside_access_in"
    Set RegO = RegEx.Execute(s1)
    For Each Matches In RegO
        Set SubM = Matches.submatches
        Select Case SubM(0)
        Case "src outside:"
            A = SubM(1)
            S = SubM(2)
            Z = SubM(3)
        Case "remote:"
            B = SubM(1)
            D = SubM(2)
        End Select
    Next
    MsgBox A & " " & S & " " & Z & vbNewLine & B & " " & D & vbNewLine & N
End Sub

Cheers

Dave
0
 
brian_appliedcpuAuthor Commented:
Ok...but sometimes the (bob.com) is not there, can this be made optional?

0
 
brian_appliedcpuAuthor Commented:
Here is an odd ball string whre there is no / after the ip number but does have a (www.bob.com) followed by an additional (0).  I don't care at this point about the (0) but I do need the (www.bob.com).

:%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.3 (customermex-148-244-192-88.alestra.net.mx) (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Dave BrettCommented:
Brian,

The code below doesn't do exactlty what I'd expect. It works for the case you want above but if I try the line
"%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.3 customermex-148-244-192-88.alestra.net.mx (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)"
it should return
1.1.2.3 (0)
but it returns
1.1.2.3
I will keep checking this

Rather than match
"src outside"
it needs to match
"outside/"

Cheers

Dave

Sub Main1()
    Dim s1 As String, A As String, B As String, S As String, D As String, N As String
    Dim RegEx, RegO, Matches, SubM
    Set RegEx = CreateObject("vbscript.regexp")
    RegEx.Pattern = "(outside\/)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\/\d+)?.+?(\(.+?\))?"
    RegEx.Global = True
    s1 = ":%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.3 (customermex-148-244-192-88.alestra.net.mx) (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)"
    Set RegO = RegEx.Execute(s1)
    For Each Matches In RegO
        Set SubM = Matches.submatches
        Select Case SubM(0)
        Case "outside/"
            A = SubM(1)
            S = SubM(2)
            Z = SubM(3)
        Case "remote:"
            B = SubM(1)
            D = SubM(2)
        End Select
    Next
    MsgBox A & " " & S & " " & Z & vbNewLine & B & " " & D & vbNewLine & N
End Sub
0
 
brian_appliedcpuAuthor Commented:
I am about ready to quit and hire someone to do this for me....
I have broken the routine into two parts, one for the source and one for the destination.
Unfortunately I am having an issue with some of the messages since they have the word interface in them.
That is not the only issue I am having though....
I have included all of the known strings for M the NR means Not Required the ng means no good, It doesn't work
Would you take a look at this?

Also, If I want them as two seperate sections can I split them up?...ie run thru for the source stuff and then below run thru the destination stuff.
I thought I could just
'*****************************
 Set RegP = RegEx.Execute(N)
    For Each Matches In RegP
        Set SubN = Matches.SubMatches
        Select Case SubN(0)
' etc.....
' **********************


Option Explicit
Sub Main()


    Dim M
   
    Dim RegEx, RegO, Matches, SubM
    Dim Broken As String
Dim CiscoMessID As Long
Dim DateOfMessage As String
Dim errMessage As String
Dim errStr As String
Dim FirewallIP As String
Dim FirewallPW As String
Dim FirewallEN As String
Dim FirewallSSH As String
Dim InstancesOfShun As Integer
Dim Item1 As String
Dim Item2 As String

Dim MessExp As String
Dim MessAction As String
Dim OffenderDNS As String
Dim OffenderPT As String
Dim OffenderIP As String
Dim OldShunState As String
Dim PermanentShun As String

Dim SafeIP As String
Dim ShunSec As Integer
Dim ShunState As String
Dim TargetDNS As String
Dim TargetPT As String
Dim TargetIP As String
Dim TimeOfMessage As String
Dim TimeOfShun As String
Dim Shun1 As String
Dim TimeOfIncident As Date
Dim TargetInterface As String


' M = ":%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.2 (customermex-148-244-192-88.alestra.net.mx) (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)"
' M = ":%PIX-4-106023: Deny tcp src outside:123.13.12.123 (bob.com) /80 dst interface inside 0 /5694 by ""access-group"""
' M = ":%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 65.6.136.15 (adsl-065-006-136-015.sip.clt.bellsouth.net) , src_addr= 24.93.90.231 (clt90-231.carolina.rr.com) , prot= tcp"
' M = ":%PIX-4-500004: Invalid transport field for protocol=6, from 200.82.95.177 (host177.200-82-95.telecom.net.ar) /0 to 66.193.215.7 (66-193-215-7.gen.twtelecom.net) /25"
' M = ":%PIX-3-710003: TCP access denied by ACL from 217.175.237.188 (s-am4.aman.de) /55286 to outside:65.6.136.15 (adsl-065-006-136-015.sip.clt.bellsouth.net) /ssh"
' M = ":%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 65.6.136.15 (adsl-065-006-136-015.sip.clt.bellsouth.net) , src_addr= 218.14.128.202 (unresolved) , prot= tcp"
' M = ":%PIX-3-313001: Denied ICMP type=11, code=0 from 166.90.128.161 (ge-4-0-218.ipcolo2.SanFrancisco1.Level3.net)  on interface 0"
' Sample Messages
'M = "%PIX-1-107001: RIP auth failed from 1.1.1.1: version=number, type=string, mode=string, sequence=number on interface inside"
'M = "%PIX-1-107002: RIP pkt failed from 1.1.1.1: version=number on interface inside"
'x M = "%PIX-4-109017: User at 1.1.1.1 exceeded auth proxy connection limit (max)"
'M = "%PIX-2-201003: Embryonic limit exceeded nconns/elimit for 1.1.1.1/25 (global_address) 2.2.2.2/80 on interface outside"
'ng M = "%PIX-4-209003: Fragment database limit of number exceeded: src = 1.1.1.1,dest = 2.2.2.2, proto = protocol, id = number"
'M = "%PIX-6-308001: PIX console enable password incorrect for number tries (from 1.1.1.1)"
'ng M = "%PIX-2-106020: Deny IP teardrop fragment (size = number, offset = number) from 1.1.1.1 to 2.2.2.2"
' M = "%PIX-1-106022: Deny protocol connection spoof from 1.1.1.1 to 2.2.2.2 on interface inside"
'M = "%PIX-4-402102: decapsulate: packet missing {AH|ESP}, destadr=2.2.2.2, actual prot=protocol"
M = "%PIX-4-402103: identity doesn't match negotiated identity (ip) dest_address= 2.2.2.2, src_addr= 1.1.1.1, prot= protocol, (ident) local=2.2.2.2, remote=1.1.1.1, local_proxy=IP_address/IP_address/port/port, remote_proxy=2.2.2.2/IP_address/port/port"
'ng M = "%PIX-4-403109: Rec'd packet not an PPTP packet. (ip) dest_address= 1.1.1.1, src_addr= 2.2.2.2, data:"
'ng M = "%PIX-7-710005: request discarded from 1.1.1.1/25 to outside:2.2.2.2/service"
'M = "%PIX-3-710003: {TCP|UDP} access denied by ACL from 1.1.1.1/25 to inside:2.2.2.2/service"
'M = "%PIX-4-500004: Invalid transport field for protocol=protocol, from 1.1.1.1/25 to 2.2.2.2/80"
'M = "%PIX-4-402106: Rec'd packet not an IPSEC packet (ip) dest_address= 2.2.2.2, src_addr= 1.1.1.1, prot= protocol"
'M = "%PIX-4-106023: Deny protocol src outside:1.1.1.1/25] dst interface inside:2.2.2.2/80 [type {string}, code {code}] by access_group acl_ID"
'M = "%PIX-1-106021: Deny protocol reverse path check from 1.1.1.1 to 2.2.2.2 on interface interface_name"
'M = "%PIX-2-106016: Deny IP spoof from 1.1.1.1 to 2.2.2.2 on interface inside."
'M = "%PIX-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 2.2.2.2"
'M = "%PIX-3-313001: Denied ICMP type=number, code=code from 1.1.1.1 on interface inside"
'NR M = "%PIX-4-313003: Invalid destination for ICMP error"
'M = "%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=2.2.2.2, prot=protocol, spi=number"
'Not Required M = "%PIX-1-106101 The number of ACL log deny-flows has reached limit (number)."
'NR M = "%PIX-3-302302: ACL = deny; no sa created"
'NR   M = "%PIX-3-407002: Embryonic limit neconns/elimit for through connections exceeded.1.1.1.1/25 to global_address (2.2.2.2)/80 on interface outside"
'NR M = "%PIX-7-701001: alloc_user() out of Tcp_user objects"
'NR M = "%PIX-4-405002: Received mac mismatch collision from 1.1.1.1/mac_address for authenticated host"
'  End of sample Messages
   
    Set RegEx = CreateObject("vbscript.regexp")
   
' Now identify the Firewall Interfaces
' Parsing string for destination Target


'RegEx.Pattern = "(dest = |dest_address= |destadr= |destaddr= |dst_addr= |dest_addr= |inside:|outside:|dmz:|dmz\/|inside\/)                      (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\/\d+\b)?\s{0,1}(\(.+?\))|(interface)\b.+\?\b(\d)\b|(interface inside|interface outside|interface dmz)"
'RegEx.Pattern = "(dest_address= |outside:|outside\/|remote= |from |from                                                        \()(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\/\d+)?.+?(\(.+?\))?"
 RegEx.Pattern = "(dest = |dest_address= |destadr= |destaddr= | inside:| to |dest_addr= |to outside:|dst outside:|dst_addr= |dmz:|dmz\/|inside\/)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\/\d+\b)?\s{1,1}(\(.+?\))|(interface)\b.+\?\b(\d)\b|(interface inside|interface outside|interface dmz)"
    RegEx.Global = True
    Set RegO = RegEx.Execute(M)
    For Each Matches In RegO
        Set SubM = Matches.SubMatches
        Select Case SubM(0)
        Case "dest = "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dest_address= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case " destadr= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "destaddr= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dst_addr= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dest_addr= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "inside:"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "outside:"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dmz:"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dmz/"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "inside/"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dst interface "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
       
             
        Case ""
            If SubM(3) = "interface" Then TargetIP = SubM(4)
            If SubM(3) = Empty Then TargetIP = SubM(5)
        Case Else
           
        End Select
       
    Next


If TargetIP = "inside" Then
 TargetIP = "Firewall Interface Inside"
ElseIf TargetIP = "0" Then
    TargetIP = "Firewall Interface Outside"
ElseIf TargetIP = "1" Then
    TargetIP = "Firewall Interface Inside"
ElseIf TargetIP = "2" Then
    TargetIP = "Firewall Interface DMZ "
ElseIf TargetIP = "3" Then
    TargetIP = "Firewall Interface DMZ 2"
ElseIf TargetIP = "4" Then
    TargetIP = "Firewall Interface DMZ 3"
ElseIf TargetIP = "5" Then
    TargetIP = "Firewall Interface DMZ 4"
ElseIf TargetIP = "6" Then
    TargetIP = "Firewall Interface DMZ 5"
ElseIf TargetIP = "7" Then
    TargetIP = "Firewall Interface DMZ 6"
ElseIf TargetIP = "8" Then
    TargetIP = "Firewall Interface DMZ 7"
ElseIf TargetIP = "9" Then
    TargetIP = "Firewall Interface DMZ 8"
Else
TargetIP = TargetIP
TargetDNS = TargetDNS

End If

MsgBox "TargetIP is " & TargetIP
MsgBox "TargetDNS is " & TargetDNS
MsgBox "TargetInterface is " & TargetInterface



End Sub

0
 
Dave BrettCommented:
Hi Brian,

I've been away but I'll start taking a look ...... gulp

You should post a question in the Perl TA either linking to this problem or restating it, there are a couple of excellent RegEx guys there

Cheers

Dave
0
 
Dave BrettCommented:
Brian,

Yes, it wouldn't be a bad idea to run two regexps's to match the source and destination independently

I think that this revised code should work for your optional (www.bob.com)

Sub Main1()
Dim s1 As String, A As String, B As String, S As String, D As String, N As String
Dim RegEx, RegO, Matches, SubM
    Set RegEx = CreateObject("vbscript.regexp")
    RegEx.Pattern = "(outside\/)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\/\d+)?(.+?(\(.+?\)){1}|.+?)"
    RegEx.Global = True
    s1 = ":%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.3 (customermex-148-244-192-88.alestra.net.mx) (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)"
    Set RegO = RegEx.Execute(s1)
    For Each Matches In RegO
        Set SubM = Matches.submatches
        Select Case SubM(0)
            Case "outside/"
                A = SubM(1)
                S = SubM(2)
                Z = SubM(4)
        End Select
        MsgBox A & " " & S & " " & Z & vbNewLine & vbNewLine & "Total match was: " & vbNewLine & Matches
    Next
End Sub

Cheers

Dave
0
 
Dave BrettCommented:
Brian,

Thanks for the grade.

Is this all working for you now?

Cheers

Dave
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now