Link to home
Create AccountLog in
Avatar of Rich Rumble
Rich RumbleFlag for United States of America

asked on

Clipboard Curation and additional actions

I have a script from: https://www.experts-exchange.com/questions/29123692/PowerShell-script-to-format-data-in-Clipboard.html?anchorAnswerId=42719419#a42719419
I'd like to take additional actions on certain fields such as IP Address, we'll use aaaa for that
INPUT
aaaa:8.8.8.8
bbbb:80
cccc:3333
dddd:FC-FC-48-11-22-33-44 -55
eeee:443
fffffff:66666

Not only do I want to eliminate the cccc and fffffff lines like in the previous question, I want to do an NSLookup on the data after the aaaa:
and if the IP resolves, append the response. If eeee: exists, look up in a csvfile what port 443, HTTPS if not listed in csv, output Unknown. Same for Mac address (dddd: in this case), look up in a CSV what the first 3 octets correspond to (FC-FC-48, Apple/Mac)

I'd like it to be easy to do more actions like that with the data that might exist after the keys. I think I can figure it out with a few examples.

Output would now be:
eeee:443 HTTPS
aaaa:1111 google-public-dns-a.google.com
dddd:FC-FC-48-11-22-33-44 -55 Apple/Mac

Thanks!
-rich
Avatar of oBdA
oBdA

That should do the trick.
You gave no information whatsoever about the csv format for the mac/ports, so you'll have to adjust lines 8 and 10 accordingly.
It currently assumes two columns "MacAddress" and "Vendor", for the MACs, and "Port" and "Protocol" for the ports.
It converts the key/value strings to a hash table, then you can change the values, then it puts them back together again (skipping those without an empty value).
$keep = @(
	'IP Address'
	'Mac Address'
	'Remote Port'
)
$macLookup = @{}
Import-Csv -Path 'C:\Temp\mac.csv' | ForEach-Object {$macLookup[$_.MacAddress] = $_.Vendor}
$portLookup = @{}
Import-Csv -Path 'C:\Temp\ports.csv' | ForEach-Object {$macLookup[$_.Port] = $_.Protocol}

$fields = @{}
(Get-ClipBoard) -split "`r`n" | 
	Where-Object {$_ -match '^(\s*)(?<Key>[^:]+?)\s*:\s*(?<Value>.*?)\s*$'} |
	ForEach-Object {$fields[$Matches['Key']] = $Matches['Value']}

Switch ($keep | Where-Object {$fields.ContainsKey($_)}) {
	'IP Address' {
		$fields[$_] += ' ' + [system.net.dns]::GetHostByAddress($fields[$_]).HostName
	}
	'Mac Address' {
		$fields[$_] += ' ' + $macLookup[$fields[$_]]
	}
	'Remote Port' {
		$fields[$_] += ' ' + $portLookup[$fields[$_]]
	}
}
($keep | Where-Object {$fields[$_]}| ForEach-Object {"$($_): $($fields[$_])"}) -join "`r`n" | Set-ClipBoard

Open in new window

Avatar of Rich Rumble

ASKER

Sorry for the delay I've been away
Allow me to give some added data.
CSV's are "val_1 comma+space val_2)
I didn't even consider TCP/UDP, we will have to assume TCP in the script as it's not a value given in most of the data I'm looking to parse. Or I can remove anything not TCP and leave it at that. Only the first 3 octets of the Mac address are used to look them up, and they will be given in the xx-xx-xx format.


========oui.csv (mac address')==========
00-00-00, Xerox Corporation
00-00-0C, Cisco Systems Inc.
00-21-59, Juniper Networks
04-BD-88, Aruba
04-C2-41, Nokia
08-00-1B, Dell EMC

=======tcp-udp.csv=======
http, 80, SCTP, 0.000000, # www-http | www | World Wide Web HTTP
http, 80, TCP, 0.484143, # World Wide Web HTTP
http, 80, UDP, 0.035767, # World Wide Web HTTP
ntp, 123, TCP, 0.000138, # Network Time Protocol
ntp, 123, UDP, 0.330879, # Network Time Protocol
https, 443, SCTP, 0.000000, # http protocol over TLS/SSL
https, 443, TCP, 0.208669, # secure http (SSL)
https, 443, UDP, 0.010840
quake3, 27960, UDP, 0.000726, # Quake 3 Arena Server

===========Test Data============
Host : Google DNS
Alert : Green
IP Address : 8.8.8.8
State : Active
Port : 443
Prod : True
Mac Address : 00-21-59-66-AF-00
Filler : Yup
Lorum Ipsom : Ubet

I didn't know about this call "[system.net.dns]::GetHostByAddres" very neat!
Thanks!
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Perfect! Thanks for working so hard on this, again sorry for the delay in responding.
-rich