Link to home
Start Free TrialLog in
Avatar of Rich Rumble
Rich RumbleFlag for United States of America

asked on

Clipboard Curation and additional actions

I have a script from: https://www.experts-exchange.com/questions/29123692/PowerShell-script-to-format-data-in-Clipboard.html?anchorAnswerId=42719419#a42719419
I'd like to take additional actions on certain fields such as IP Address, we'll use aaaa for that
INPUT
aaaa:8.8.8.8
bbbb:80
cccc:3333
dddd:FC-FC-48-11-22-33-44 -55
eeee:443
fffffff:66666

Not only do I want to eliminate the cccc and fffffff lines like in the previous question, I want to do an NSLookup on the data after the aaaa:
and if the IP resolves, append the response. If eeee: exists, look up in a csvfile what port 443, HTTPS if not listed in csv, output Unknown. Same for Mac address (dddd: in this case), look up in a CSV what the first 3 octets correspond to (FC-FC-48, Apple/Mac)

I'd like it to be easy to do more actions like that with the data that might exist after the keys. I think I can figure it out with a few examples.

Output would now be:
eeee:443 HTTPS
aaaa:1111 google-public-dns-a.google.com
dddd:FC-FC-48-11-22-33-44 -55 Apple/Mac

Thanks!
-rich
Avatar of oBdA
oBdA

That should do the trick.
You gave no information whatsoever about the csv format for the mac/ports, so you'll have to adjust lines 8 and 10 accordingly.
It currently assumes two columns "MacAddress" and "Vendor", for the MACs, and "Port" and "Protocol" for the ports.
It converts the key/value strings to a hash table, then you can change the values, then it puts them back together again (skipping those without an empty value).
$keep = @(
	'IP Address'
	'Mac Address'
	'Remote Port'
)
$macLookup = @{}
Import-Csv -Path 'C:\Temp\mac.csv' | ForEach-Object {$macLookup[$_.MacAddress] = $_.Vendor}
$portLookup = @{}
Import-Csv -Path 'C:\Temp\ports.csv' | ForEach-Object {$macLookup[$_.Port] = $_.Protocol}

$fields = @{}
(Get-ClipBoard) -split "`r`n" | 
	Where-Object {$_ -match '^(\s*)(?<Key>[^:]+?)\s*:\s*(?<Value>.*?)\s*$'} |
	ForEach-Object {$fields[$Matches['Key']] = $Matches['Value']}

Switch ($keep | Where-Object {$fields.ContainsKey($_)}) {
	'IP Address' {
		$fields[$_] += ' ' + [system.net.dns]::GetHostByAddress($fields[$_]).HostName
	}
	'Mac Address' {
		$fields[$_] += ' ' + $macLookup[$fields[$_]]
	}
	'Remote Port' {
		$fields[$_] += ' ' + $portLookup[$fields[$_]]
	}
}
($keep | Where-Object {$fields[$_]}| ForEach-Object {"$($_): $($fields[$_])"}) -join "`r`n" | Set-ClipBoard

Open in new window

Avatar of Rich Rumble

ASKER

Sorry for the delay I've been away
Allow me to give some added data.
CSV's are "val_1 comma+space val_2)
I didn't even consider TCP/UDP, we will have to assume TCP in the script as it's not a value given in most of the data I'm looking to parse. Or I can remove anything not TCP and leave it at that. Only the first 3 octets of the Mac address are used to look them up, and they will be given in the xx-xx-xx format.


========oui.csv (mac address')==========
00-00-00, Xerox Corporation
00-00-0C, Cisco Systems Inc.
00-21-59, Juniper Networks
04-BD-88, Aruba
04-C2-41, Nokia
08-00-1B, Dell EMC

=======tcp-udp.csv=======
http, 80, SCTP, 0.000000, # www-http | www | World Wide Web HTTP
http, 80, TCP, 0.484143, # World Wide Web HTTP
http, 80, UDP, 0.035767, # World Wide Web HTTP
ntp, 123, TCP, 0.000138, # Network Time Protocol
ntp, 123, UDP, 0.330879, # Network Time Protocol
https, 443, SCTP, 0.000000, # http protocol over TLS/SSL
https, 443, TCP, 0.208669, # secure http (SSL)
https, 443, UDP, 0.010840
quake3, 27960, UDP, 0.000726, # Quake 3 Arena Server

===========Test Data============
Host : Google DNS
Alert : Green
IP Address : 8.8.8.8
State : Active
Port : 443
Prod : True
Mac Address : 00-21-59-66-AF-00
Filler : Yup
Lorum Ipsom : Ubet

I didn't know about this call "[system.net.dns]::GetHostByAddres" very neat!
Thanks!
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Perfect! Thanks for working so hard on this, again sorry for the delay in responding.
-rich