Solved

Regex Optional Items

Posted on 2004-09-04
8
362 Views
Last Modified: 2008-02-01
I am trying to parse the following text string example.  The variations of text strings make it necessary to have most of the string matches as optional.  Could anyone help me figure this out?
The (www.bob.com) is sometimes there and sometimes not and its location is often varied, but always comes after the first ip.


Sub Main1()
Dim s1 As String, A As String, B As String, S As String, D As String, N As String
Dim RegEx, RegO, Matches, SubM
    Set RegEx = CreateObject("vbscript.regexp")
    RegEx.Pattern = "(src outside:)(\d{1,3}\.\d{1,3}.\d{1,3}\.\d{1,3})(?:\/\d+\b)?\s{1}(\(.+?\))

    RegEx.Global = True
    s1 =  ":%PIX-4-402106: Deny tcp src outside:1.1.1.2/80 dst (www.bob.com) inside:123.124.129.123/5694 by access-group outside_access_in"

    Set RegO = RegEx.Execute(s1)
    For Each Matches In RegO
        Set SubM = Matches.submatches
        Select Case SubM(0)
            Case "src outside:"
                A = SubM(1)
                S = SubM(2)
            Case "remote:"
                B = SubM(1)
                D = SubM(2)
                   End Select
    Next
    MsgBox A & " " & S & vbNewLine & B & " " & D & vbNewLine & N
End Sub
0
Comment
Question by:brian_appliedcpu
  • 5
  • 3
8 Comments
 
LVL 50

Expert Comment

by:Dave Brett
Comment Utility
Hi Brian,

The current pattern isn't matching the string as this portion, (?:\/\d+\b)?\s{1}(\(.+?\))
is looking for
/number... space...bracketed text
but the string is
/number... space..text.....bracketed text
/80 dst (www.bob.com)

if you try the pattern below, it will take anything after the /number and before the (text) as a wildcard

Sub Main1()
    Dim s1 As String, A As String, B As String, S As String, D As String, N As String
    Dim RegEx, RegO, Matches, SubM
    Set RegEx = CreateObject("vbscript.regexp")
    RegEx.Pattern = "(src outside:)(\d{1,3}\.\d{1,3}.\d{1,3}\.\d{1,3})(\/\d+\b)?.+?(\(.+?\))"
    RegEx.Global = True
    s1 = ":%PIX-4-402106: Deny tcp src outside:1.1.1.2/80 dst (www.bob.com) inside:123.124.129.123/5694 by access-group outside_access_in"
    Set RegO = RegEx.Execute(s1)
    For Each Matches In RegO
        Set SubM = Matches.submatches
        Select Case SubM(0)
        Case "src outside:"
            A = SubM(1)
            S = SubM(2)
            Z = SubM(3)
        Case "remote:"
            B = SubM(1)
            D = SubM(2)
        End Select
    Next
    MsgBox A & " " & S & " " & Z & vbNewLine & B & " " & D & vbNewLine & N
End Sub

Cheers

Dave
0
 
LVL 2

Author Comment

by:brian_appliedcpu
Comment Utility
Ok...but sometimes the (bob.com) is not there, can this be made optional?

0
 
LVL 2

Author Comment

by:brian_appliedcpu
Comment Utility
Here is an odd ball string whre there is no / after the ip number but does have a (www.bob.com) followed by an additional (0).  I don't care at this point about the (0) but I do need the (www.bob.com).

:%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.3 (customermex-148-244-192-88.alestra.net.mx) (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)
0
 
LVL 50

Expert Comment

by:Dave Brett
Comment Utility
Brian,

The code below doesn't do exactlty what I'd expect. It works for the case you want above but if I try the line
"%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.3 customermex-148-244-192-88.alestra.net.mx (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)"
it should return
1.1.2.3 (0)
but it returns
1.1.2.3
I will keep checking this

Rather than match
"src outside"
it needs to match
"outside/"

Cheers

Dave

Sub Main1()
    Dim s1 As String, A As String, B As String, S As String, D As String, N As String
    Dim RegEx, RegO, Matches, SubM
    Set RegEx = CreateObject("vbscript.regexp")
    RegEx.Pattern = "(outside\/)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\/\d+)?.+?(\(.+?\))?"
    RegEx.Global = True
    s1 = ":%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.3 (customermex-148-244-192-88.alestra.net.mx) (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)"
    Set RegO = RegEx.Execute(s1)
    For Each Matches In RegO
        Set SubM = Matches.submatches
        Select Case SubM(0)
        Case "outside/"
            A = SubM(1)
            S = SubM(2)
            Z = SubM(3)
        Case "remote:"
            B = SubM(1)
            D = SubM(2)
        End Select
    Next
    MsgBox A & " " & S & " " & Z & vbNewLine & B & " " & D & vbNewLine & N
End Sub
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 2

Author Comment

by:brian_appliedcpu
Comment Utility
I am about ready to quit and hire someone to do this for me....
I have broken the routine into two parts, one for the source and one for the destination.
Unfortunately I am having an issue with some of the messages since they have the word interface in them.
That is not the only issue I am having though....
I have included all of the known strings for M the NR means Not Required the ng means no good, It doesn't work
Would you take a look at this?

Also, If I want them as two seperate sections can I split them up?...ie run thru for the source stuff and then below run thru the destination stuff.
I thought I could just
'*****************************
 Set RegP = RegEx.Execute(N)
    For Each Matches In RegP
        Set SubN = Matches.SubMatches
        Select Case SubN(0)
' etc.....
' **********************


Option Explicit
Sub Main()


    Dim M
   
    Dim RegEx, RegO, Matches, SubM
    Dim Broken As String
Dim CiscoMessID As Long
Dim DateOfMessage As String
Dim errMessage As String
Dim errStr As String
Dim FirewallIP As String
Dim FirewallPW As String
Dim FirewallEN As String
Dim FirewallSSH As String
Dim InstancesOfShun As Integer
Dim Item1 As String
Dim Item2 As String

Dim MessExp As String
Dim MessAction As String
Dim OffenderDNS As String
Dim OffenderPT As String
Dim OffenderIP As String
Dim OldShunState As String
Dim PermanentShun As String

Dim SafeIP As String
Dim ShunSec As Integer
Dim ShunState As String
Dim TargetDNS As String
Dim TargetPT As String
Dim TargetIP As String
Dim TimeOfMessage As String
Dim TimeOfShun As String
Dim Shun1 As String
Dim TimeOfIncident As Date
Dim TargetInterface As String


' M = ":%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.2 (customermex-148-244-192-88.alestra.net.mx) (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)"
' M = ":%PIX-4-106023: Deny tcp src outside:123.13.12.123 (bob.com) /80 dst interface inside 0 /5694 by ""access-group"""
' M = ":%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 65.6.136.15 (adsl-065-006-136-015.sip.clt.bellsouth.net) , src_addr= 24.93.90.231 (clt90-231.carolina.rr.com) , prot= tcp"
' M = ":%PIX-4-500004: Invalid transport field for protocol=6, from 200.82.95.177 (host177.200-82-95.telecom.net.ar) /0 to 66.193.215.7 (66-193-215-7.gen.twtelecom.net) /25"
' M = ":%PIX-3-710003: TCP access denied by ACL from 217.175.237.188 (s-am4.aman.de) /55286 to outside:65.6.136.15 (adsl-065-006-136-015.sip.clt.bellsouth.net) /ssh"
' M = ":%PIX-4-402106: Rec'd packet not an IPSEC packet. (ip) dest_addr= 65.6.136.15 (adsl-065-006-136-015.sip.clt.bellsouth.net) , src_addr= 218.14.128.202 (unresolved) , prot= tcp"
' M = ":%PIX-3-313001: Denied ICMP type=11, code=0 from 166.90.128.161 (ge-4-0-218.ipcolo2.SanFrancisco1.Level3.net)  on interface 0"
' Sample Messages
'M = "%PIX-1-107001: RIP auth failed from 1.1.1.1: version=number, type=string, mode=string, sequence=number on interface inside"
'M = "%PIX-1-107002: RIP pkt failed from 1.1.1.1: version=number on interface inside"
'x M = "%PIX-4-109017: User at 1.1.1.1 exceeded auth proxy connection limit (max)"
'M = "%PIX-2-201003: Embryonic limit exceeded nconns/elimit for 1.1.1.1/25 (global_address) 2.2.2.2/80 on interface outside"
'ng M = "%PIX-4-209003: Fragment database limit of number exceeded: src = 1.1.1.1,dest = 2.2.2.2, proto = protocol, id = number"
'M = "%PIX-6-308001: PIX console enable password incorrect for number tries (from 1.1.1.1)"
'ng M = "%PIX-2-106020: Deny IP teardrop fragment (size = number, offset = number) from 1.1.1.1 to 2.2.2.2"
' M = "%PIX-1-106022: Deny protocol connection spoof from 1.1.1.1 to 2.2.2.2 on interface inside"
'M = "%PIX-4-402102: decapsulate: packet missing {AH|ESP}, destadr=2.2.2.2, actual prot=protocol"
M = "%PIX-4-402103: identity doesn't match negotiated identity (ip) dest_address= 2.2.2.2, src_addr= 1.1.1.1, prot= protocol, (ident) local=2.2.2.2, remote=1.1.1.1, local_proxy=IP_address/IP_address/port/port, remote_proxy=2.2.2.2/IP_address/port/port"
'ng M = "%PIX-4-403109: Rec'd packet not an PPTP packet. (ip) dest_address= 1.1.1.1, src_addr= 2.2.2.2, data:"
'ng M = "%PIX-7-710005: request discarded from 1.1.1.1/25 to outside:2.2.2.2/service"
'M = "%PIX-3-710003: {TCP|UDP} access denied by ACL from 1.1.1.1/25 to inside:2.2.2.2/service"
'M = "%PIX-4-500004: Invalid transport field for protocol=protocol, from 1.1.1.1/25 to 2.2.2.2/80"
'M = "%PIX-4-402106: Rec'd packet not an IPSEC packet (ip) dest_address= 2.2.2.2, src_addr= 1.1.1.1, prot= protocol"
'M = "%PIX-4-106023: Deny protocol src outside:1.1.1.1/25] dst interface inside:2.2.2.2/80 [type {string}, code {code}] by access_group acl_ID"
'M = "%PIX-1-106021: Deny protocol reverse path check from 1.1.1.1 to 2.2.2.2 on interface interface_name"
'M = "%PIX-2-106016: Deny IP spoof from 1.1.1.1 to 2.2.2.2 on interface inside."
'M = "%PIX-2-106017: Deny IP due to Land Attack from 1.1.1.1 to 2.2.2.2"
'M = "%PIX-3-313001: Denied ICMP type=number, code=code from 1.1.1.1 on interface inside"
'NR M = "%PIX-4-313003: Invalid destination for ICMP error"
'M = "%PIX-4-402101: decaps: rec'd IPSEC packet has invalid spi for destaddr=2.2.2.2, prot=protocol, spi=number"
'Not Required M = "%PIX-1-106101 The number of ACL log deny-flows has reached limit (number)."
'NR M = "%PIX-3-302302: ACL = deny; no sa created"
'NR   M = "%PIX-3-407002: Embryonic limit neconns/elimit for through connections exceeded.1.1.1.1/25 to global_address (2.2.2.2)/80 on interface outside"
'NR M = "%PIX-7-701001: alloc_user() out of Tcp_user objects"
'NR M = "%PIX-4-405002: Received mac mismatch collision from 1.1.1.1/mac_address for authenticated host"
'  End of sample Messages
   
    Set RegEx = CreateObject("vbscript.regexp")
   
' Now identify the Firewall Interfaces
' Parsing string for destination Target


'RegEx.Pattern = "(dest = |dest_address= |destadr= |destaddr= |dst_addr= |dest_addr= |inside:|outside:|dmz:|dmz\/|inside\/)                      (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\/\d+\b)?\s{0,1}(\(.+?\))|(interface)\b.+\?\b(\d)\b|(interface inside|interface outside|interface dmz)"
'RegEx.Pattern = "(dest_address= |outside:|outside\/|remote= |from |from                                                        \()(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\/\d+)?.+?(\(.+?\))?"
 RegEx.Pattern = "(dest = |dest_address= |destadr= |destaddr= | inside:| to |dest_addr= |to outside:|dst outside:|dst_addr= |dmz:|dmz\/|inside\/)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(?:\/\d+\b)?\s{1,1}(\(.+?\))|(interface)\b.+\?\b(\d)\b|(interface inside|interface outside|interface dmz)"
    RegEx.Global = True
    Set RegO = RegEx.Execute(M)
    For Each Matches In RegO
        Set SubM = Matches.SubMatches
        Select Case SubM(0)
        Case "dest = "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dest_address= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case " destadr= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "destaddr= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dst_addr= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dest_addr= "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "inside:"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "outside:"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dmz:"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dmz/"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "inside/"
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
        Case "dst interface "
           TargetIP = SubM(1)
           TargetDNS = SubM(2)
           TargetInterface = SubM(3)
       
             
        Case ""
            If SubM(3) = "interface" Then TargetIP = SubM(4)
            If SubM(3) = Empty Then TargetIP = SubM(5)
        Case Else
           
        End Select
       
    Next


If TargetIP = "inside" Then
 TargetIP = "Firewall Interface Inside"
ElseIf TargetIP = "0" Then
    TargetIP = "Firewall Interface Outside"
ElseIf TargetIP = "1" Then
    TargetIP = "Firewall Interface Inside"
ElseIf TargetIP = "2" Then
    TargetIP = "Firewall Interface DMZ "
ElseIf TargetIP = "3" Then
    TargetIP = "Firewall Interface DMZ 2"
ElseIf TargetIP = "4" Then
    TargetIP = "Firewall Interface DMZ 3"
ElseIf TargetIP = "5" Then
    TargetIP = "Firewall Interface DMZ 4"
ElseIf TargetIP = "6" Then
    TargetIP = "Firewall Interface DMZ 5"
ElseIf TargetIP = "7" Then
    TargetIP = "Firewall Interface DMZ 6"
ElseIf TargetIP = "8" Then
    TargetIP = "Firewall Interface DMZ 7"
ElseIf TargetIP = "9" Then
    TargetIP = "Firewall Interface DMZ 8"
Else
TargetIP = TargetIP
TargetDNS = TargetDNS

End If

MsgBox "TargetIP is " & TargetIP
MsgBox "TargetDNS is " & TargetDNS
MsgBox "TargetInterface is " & TargetInterface



End Sub

0
 
LVL 50

Expert Comment

by:Dave Brett
Comment Utility
Hi Brian,

I've been away but I'll start taking a look ...... gulp

You should post a question in the Perl TA either linking to this problem or restating it, there are a couple of excellent RegEx guys there

Cheers

Dave
0
 
LVL 50

Accepted Solution

by:
Dave Brett earned 500 total points
Comment Utility
Brian,

Yes, it wouldn't be a bad idea to run two regexps's to match the source and destination independently

I think that this revised code should work for your optional (www.bob.com)

Sub Main1()
Dim s1 As String, A As String, B As String, S As String, D As String, N As String
Dim RegEx, RegO, Matches, SubM
    Set RegEx = CreateObject("vbscript.regexp")
    RegEx.Pattern = "(outside\/)(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})(\/\d+)?(.+?(\(.+?\)){1}|.+?)"
    RegEx.Global = True
    s1 = ":%PIX-3-106100: access-list acl_inbound denied icmp outside/1.1.2.3 (customermex-148-244-192-88.alestra.net.mx) (0) -> dmz/66.193.215.3 (bible-web.bbnradio.org) (8) hit-cnt 2 (300-second interval)"
    Set RegO = RegEx.Execute(s1)
    For Each Matches In RegO
        Set SubM = Matches.submatches
        Select Case SubM(0)
            Case "outside/"
                A = SubM(1)
                S = SubM(2)
                Z = SubM(4)
        End Select
        MsgBox A & " " & S & " " & Z & vbNewLine & vbNewLine & "Total match was: " & vbNewLine & Matches
    Next
End Sub

Cheers

Dave
0
 
LVL 50

Expert Comment

by:Dave Brett
Comment Utility
Brian,

Thanks for the grade.

Is this all working for you now?

Cheers

Dave
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
bigHeights  challenge 13 55
factorial example challenge 10 61
Scripting vs. Programming languages 25 110
control image tags in a string ? 12 59
Whether you've completed a degree in computer sciences or you're a self-taught programmer, writing your first lines of code in the real world is always a challenge. Here are some of the most common pitfalls for new programmers.
Although it can be difficult to imagine, someday your child will have a career of his or her own. He or she will likely start a family, buy a home and start having their own children. So, while being a kid is still extremely important, it’s also …
An introduction to basic programming syntax in Java by creating a simple program. Viewers can follow the tutorial as they create their first class in Java. Definitions and explanations about each element are given to help prepare viewers for future …
In this fifth video of the Xpdf series, we discuss and demonstrate the PDFdetach utility, which is able to list and, more importantly, extract attachments that are embedded in PDF files. It does this via a command line interface, making it suitable …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now