IDM Computer Solutions, Inc. Forums

UltraEdit, UEStudio, UltraCompare, and UltraSentry

Welcome to the IDM Forum. This forum is meant as a user-to-user support mechanism where users can share knowledge and tips for all IDM software.

Since these forums are user-to-user based, IDM does not regularly read or reply to the posts in this forum. For problem reports, suggestions, or feature requests, you must email us directly. Our trained technical support staff answers most inquiries within 30 minutes.

Help in Firewall Log

Find, replace, find in files, replace in files, regular expressions
Post a reply

Help in Firewall Log

Postby Maxmedeiros » Thu Mar 30, 2006 7:07 pm

I need to erase some lines that are are of the size standard... as make?

Example:

Mar 19 08:09:00 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=8506 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=65320 RES=0x00 ACK URGP=0
Mar 19 08:09:00 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.4>http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=52 TOS=0x00 PREC=0x00 TTL=115 ID=8585 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=63908 RES=0x00 ACK URGP=0 <---Delete Very long
Mar 19 08:09:00 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=8401 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=65320 RES=0x00 ACK URGP=0
Mar 19 08:09:00 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=8402 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=63908 RES=0x00 ACK URGP=0
Mar 19 08:09:00 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.2470 <---Delete Small
Mar 19 08:09:04 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=9176 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=65320 RES=0x00 ACK URGP=0
Mar 19 08:09:04 abab kernel: smtp: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=65.123.82.253 DST=200.202.247.45 LEN=46 TOS=0x00 PREC=0x00 TTL=112 ID=42806 DF PROTO=TCP SPT=2673 DPT=25 WINDOW=17274 RES=0x00 ACK PSH URGP=0
Mar 19 08:09:04 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=9178 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=65320 RES=0x00 ACK URGP=0
Mar 19 08:09:09 abab kernel: smtp: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=65.123.82.253 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=43602 DF PROTO=TCP SPT=2673 DPT=25 WINDOW=17124 RES=0x00 ACK FIN URGP=0


I need this:
Mar 19 08:09:00 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=8506 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=65320 RES=0x00 ACK URGP=0
Mar 19 08:09:00 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=8401 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=65320 RES=0x00 ACK URGP=0
Mar 19 08:09:00 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=8402 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=63908 RES=0x00 ACK URGP=0
Mar 19 08:09:04 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=9176 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=65320 RES=0x00 ACK URGP=0
Mar 19 08:09:04 abab kernel: smtp: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=65.123.82.253 DST=200.202.247.45 LEN=46 TOS=0x00 PREC=0x00 TTL=112 ID=42806 DF PROTO=TCP SPT=2673 DPT=25 WINDOW=17274 RES=0x00 ACK PSH URGP=0
Mar 19 08:09:04 abab kernel: http: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=87.196.128.37 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=9178 DF PROTO=TCP SPT=1295 DPT=80 WINDOW=65320 RES=0x00 ACK URGP=0
Mar 19 08:09:09 abab kernel: smtp: IN=eth0 OUT= MAC=00:02:55:23:21:d9:00:0a:41:7f:4b:40:08:00 SRC=65.123.82.253 DST=200.202.247.45 LEN=40 TOS=0x00 PREC=0x00 TTL=112 ID=43602 DF PROTO=TCP SPT=2673 DPT=25 WINDOW=17124 RES=0x00 ACK FIN URGP=0


The problem is the lines with lesser or bigger sizes that the standard!
But the so great standard is changeable! 8O 8O

The log have 500000 lines 8O
thanks!
User avatar
Maxmedeiros
Newbie
 
Posts: 2
Joined: Thu Mar 30, 2006 12:00 am
Top

Re: Help in Firewall Log

Postby Bego » Fri Mar 31, 2006 5:59 am

Hi Max,

until you cannot define how to "grab" the non-standard ´lines (identify the lines), no one can help you here...
As I understood, the length of line is not possible to use as criteria.
rds, Bego
User avatar
Bego
Master
Master
 
Posts: 357
Joined: Wed Nov 24, 2004 12:00 am
Location: Germany
Top

Re: Help in Firewall Log

Postby Mofi » Sat Apr 01, 2006 11:56 am

This macro runs on line length 235 (valid http lines) and 240 (valid smtp lines). It deletes all lines which do no have a line length of 235 or 240 characters (without CRLF).

InsertMode
ColumnModeOff
HexOff
UnixReOff
Bottom
IfColNum 1
Else
"
"
EndIf
Top
Loop
IfEof
ExitLoop
EndIf
Key END
IfColNum 235
Key DOWN ARROW
Else
IfColNum 240
Key DOWN ARROW
Else
SelectLine
Delete
EndIf
EndIf
EndLoop

If the standard changes, you also have to change the numbers at the 2 IfColNum.


I have a second suggestion for your problem:

Find all lines with correct count of spaces, list these lines (use option List Lines Containing String), copy the find result to clipboard and paste it into a new file or overwrite the existing file content with the clipboard content.

The UltraEdit style regular expression search string to find all lines with the correct number of spaces (23) is:

%[~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+[ ^t]++$

But this regular expression will also not find the smtp lines with 24 (spaces) columns. To find all valid http and smtp lines use following regular expression in UltraEdit style:

%[~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ ^{http^}^{smtp^}: [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+ [~ ^r^n]+[ ^t]++[~ ^r^n]++[ ^t]++$

Well, invalid http lines with 24 spaces/columns will be also found by this search string. So it is not 100% perfect.
User avatar
Mofi
Grand Master
Grand Master
 
Posts: 4055
Joined: Thu Jul 29, 2004 11:00 pm
Location: Vienna
Top

Re: Help in Firewall Log

Postby Maxmedeiros » Mon Apr 03, 2006 10:57 pm

Thanks Bego and Mofi!!
User avatar
Maxmedeiros
Newbie
 
Posts: 2
Joined: Thu Mar 30, 2006 12:00 am
Top
Post a reply

Return to Find/Replace/Regular Expressions

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group