我对整个 linux bash 脚本还是很陌生,我已经想出了这一点代码,不幸的是,对于一个小文件(193 KiB)来说它的执行时间有点长
real 0m7.234s user 0m6.772s sys 0m3.486s
如果您能看一下,并提供一些改进或提示,将不胜感激!
#!/bin/bash
#
while read line; do
RNAME=$(echo $line | grep -w "ET CINS Active Threat Intelligence Poor Reputation" | sed 's/^.*\(ET CINS Active Threat Intelligence Poor Reputation.*\)/\1/g' | sed 's/".*//')
RSID=$(echo $line | grep -w "ET CINS Active Threat Intelligence Poor Reputation" | grep -o "sid:.*" | awk '{print $1}' | rev | cut -c 2- | rev | cut -c 5-)
echo $line | grep -w "ET CINS Active Threat Intelligence Poor Reputation" | awk '{print "'"$RSID"'" " " "\"[;][)]\"" " " "\"" "; fwsam: src[either], 1 hour;)\"; # " "'"$RNAME"'" }'# >> /tmp/snortsam-rules.txt
echo $line | grep -w "ET CINS Active Threat Intelligence Poor Reputation" | awk '{print "'"$RSID"'" " " "\"\\(msg:\"\" \"(msg:\"[SNORTSAM] \"; # " "'"$RNAME"'" }' >> /tmp/snortsam-rules.txt
done < /etc/snort.d/rules/emerging-threats/emerging-ciarmy.rules
输入文件的内容:
alert tcp [1.11.244.148,1.119.129.16,1.119.133.214,1.119.144.196,1.163.25.190,1.170.159.97,1.173.65.136,1.177.142.203,1.177.220.170,1.177.251.214,1.180.189.18,1.180.208.131,1.180.208.132,1.180.233.23,1.186.176.220,1.186.176.246,1.186.220.92,1.186.235.187,1.192.123.218,1.192.145.246,1.202.225.53,1.202.65.39,1.215.230.46,1.221.225.138,1.228.102.199,1.230.44.160,1.232.113.151,1.234.1.70,1.234.4.14,1.239.35.88,1.24.156.110,1.245.107.90,1.247.184.111,1.251.177.206,1.253.135.172,1.254.20.189,1.254.47.75,1.28.202.11,1.28.202.16,1.31.87.35,1.32.200.123,1.32.216.88,1.32.47.74,1.33.73.100,1.34.113.192,1.34.158.177,1.34.209.99,1.34.21.27,1.34.2.152,1.34.28.244] any -> $HOME_NET any (msg:"ET CINS Active Threat Intelligence Poor Reputation IP TCP group 1"; flags:S; reference:url,www.cinsscore.com; reference:url,www.networkcloaking.com/cins; threshold: type limit, track by_src, seconds 3600, count 1; classtype:misc-attack; sid:2403300; rev:40471;)
输出示例代码:
2403300 "[;][)]" "; fwsam: src, 1 hour;)"; # ET CINS Active Threat Intelligence Poor Reputation IP TCP group 1
基本上,我想要做的是,获取输入内容的某些部分,并将它们保存到文件中,就像上面的输出示例代码一样,如果这有意义的话?
答案1
笔记:
- 从文件中读取单独的行并在每行上多次运行多个程序将会非常慢。
- 每次执行时请参阅上文
echo $line | ...。
其中大部分可以由 awk 本身完成:
awk -v fmt1='%s "[;][)]" "; fwsam: src, 1 hour;)"; # %s\n' -v fmt2='%s "\\(msg:"" "(msg:"[SNORTSAM] "; # %s\n' '/ET CINS Active Threat Intelligence Poor Reputation/ {
rname = gensub(/.*(ET CINS Active Threat Intelligence Poor Reputation [^"]*).*/, "\\1", 1)
rsid = gensub(/.*ET CINS Active Threat Intelligence Poor Reputation.*sid:(.*); .*/, "\\1", 1)
printf fmt1, rsid, rname
printf fmt2, rsid, rname
}' input-file
笔记:
- 不用进行复杂的转义来获取特定的输出格式,而是使用
printf带有格式字符串。我使用了两个外部定义的 awk 变量(-v fmt1=...,-v fmt2=...)作为格式字符串,从而避免了大量引用。 - 您过去只在模式匹配
echo ... | grep ... | awk时才进行打印。通过使用仅在与模式匹配的行上运行操作,grep可以在 awk 本身中轻松完成此操作。/pattern/ { action } - and命令的工作在正则表达式中很容易完成
rev | cut | rev | cut,sed ... | sed只需保留您需要的字符组即可。