Skip to content

Instantly share code, notes, and snippets.

@sabicalija

sabicalija/regex-snort-101.js

Created January 11, 2021 17:02
Show Gist options
  • Save sabicalija/00955c31f0ff3baa25e806ebbb0e02fc to your computer and use it in GitHub Desktop.
Save sabicalija/00955c31f0ff3baa25e806ebbb0e02fc to your computer and use it in GitHub Desktop.
Download ZIP
RegExp Example for snort+
Raw
regex-snort-101.js
const alert = `++ [0] /home/payman/snort_src/snort3/captures/test_case/knxnetip/header/02_knxnetip_invalid_header_size.pcap
pkt:1 gid:147 sid:2 rev:0
timestamp:08/20-01:50:54.000000
eth(DLT): 0A:01:01:01:01:01 -> 0A:02:02:02:02:02 type:0x0800
ipv4(0x0800): 172.22.10.76 -> 172.22.12.76
Next:0x11 TTL:255 TOS:0x0 ID:4660 IpLen:20 DgmLen:51
udp(0x11): SrcPort:3671 DstPort:41975 Len:23
knxnetip.raw[65]:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0000 0A 02 02 02 02 02 0A 01 01 01 01 01 08 00 45 00 ........ ......E.
0010 00 33 12 34 00 00 FF 11 3A C1 AC 16 0A 4C AC 16 .3.4.... :....L..
0020 0C 4C 0E 57 A3 F7 00 1F 99 61 07 10 04 20 00 17 .L.W.... .a... ..
0030 04 01 3E 00 29 00 BC E0 76 04 19 00 03 00 80 0D ..>.)... v.......
0040 00 .
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[**] [147:2:0] "(knxnetip) invalid header size" [**]`;
const r = /ipv4\(.*\):\s+(.*)\s\->\s+(.*)/gm;
const m = r.exec(alert);
// console.log(m);
// const match = m[0];
// const ipIN = m[1];
// const ipOUT = m[2];
if (m) {
const [match, ipIN, ipOUT] = m;
}
console.log({ match, ipIN, ipOUT });
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment