如何从中获取返回的受感染文件列表的文件路径clamscan -ri?
现在我看到的是:
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt: copied to '/folder/infections//HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt'
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt: copied to '/folder/infections//Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt'
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt: copied to '/folder/infections//HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt'
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt: copied to '/folder/infections//HG010_Hyaloglide_product_overview_training_RevC.ppt'
我想要的只是文件路径。例如/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt
也许一个简单的sed命令就可以抓取 :? 之前的所有内容,但我不知道应该使用哪种模式
答案1
$ clamscan -ri | sed -n '/FOUND/s/: .*//p'
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt
怎么运行的
每个文件出现在输入的两行中。为了避免重复,我们只需选择其中一行。此代码选择第一个出现的行,即FOUND行末有单词的行。然后删除后面的所有内容:并打印该行。
更详细地:
-n这告诉 sed 不要打印任何内容,除非我们明确要求它这样做。
/FOUND/ s/: .*//p这将选择包含单词 的行
FOUND。替换命令s/: .*//会删除冒号空格后的所有内容。后缀p告诉 sed 打印这些行。
将输出变成 bash 数组
要创建文件名的 bash 数组:
IFS=$'\n' cl_scan=($(clamscan -ri | sed -n '/FOUND/s/: .*//p'))
因为我们设置了IFS=$'\n',所以即使文件名中包含空格或制表符,此方法也有效。但文件名中包含换行符或冒号空格,此方法无效。
要验证阵列是否符合要求,请运行:
$ declare -p cl_scan
declare -a cl_scan='([0]="/home/folder/public html/wp content/uploads/2015/07/HB006 Hyalobarrier Product training MASTER 10 07 15.ppt" [1]="/home/folder/public html/wp content/uploads/2015/02/Tech003 HA HYAFF technology MASTER presentation RevB.ppt" [2]="/home/folder/public html/wp content/uploads/2015/02/HM006 Hyalomatrix PA product overview training RevB.ppt" [3]="/home/folder/public html/wp content/uploads/2014/10/HG010 Hyaloglide product overview training RevC.ppt")'
答案2
另一种解决方案是使用awk+ readarray;
处理输出clamscan -ri:
clamscan -ri | awk -F ':' '/FOUND/ {print $1}'
-F ':':awk将 的字段分隔符设置为:;/FOUND/:模式;仅当记录与FOUND字符串匹配时才执行以下操作;{print $1}:打印第一个字段;
将处理后的输出读clamscan -ti入数组$x:
mapfile -t x < <(clamscan -ri | awk -F ':' '/FOUND/ {print $1}')
-t:在将每行读入数组之前,删除其末尾的换行符;< <(clamscan -ri | awk -F ':' '/FOUND/ {print $1}'):将进程替换的输出重定向<(clamscan -ri | awk -F ':' '/FOUND/ {print $1}')到readarraystdin
ubuntu@ubuntu:~/tmp$ cat infile
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt: copied to '/folder/infections//HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt'
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt: copied to '/folder/infections//Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt'
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt: copied to '/folder/infections//HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt'
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt: Doc.Exploit.CVE_2015_2341 FOUND
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt: copied to '/folder/infections//HG010_Hyaloglide_product_overview_training_RevC.ppt'
ubuntu@ubuntu:~/tmp$ cat infile | awk -F ':' '/FOUND/ {print $1}'
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt
/home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt
/home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt
/home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt
ubuntu@ubuntu:~/tmp$ mapfile -t x < <(awk -F ':' '/FOUND/ {print $1}' infile)
ubuntu@ubuntu:~/tmp$ echo "${x[@]}"
/home/folder/public_html/wp-content/uploads/2015/07/HB006_Hyalobarrier-Product-training-MASTER-10-07-15.ppt /home/folder/public_html/wp-content/uploads/2015/02/Tech003_HA_HYAFF_technology_MASTER_presentation_RevB.ppt /home/folder/public_html/wp-content/uploads/2015/02/HM006_Hyalomatrix_PA_product_overview_training_RevB.ppt /home/folder/public_html/wp-content/uploads/2014/10/HG010_Hyaloglide_product_overview_training_RevC.ppt