awk programming question

RW rwmaillists at googlemail.com
Thu Jan 23 21:33:56 UTC 2014


On Thu, 23 Jan 2014 13:57:03 -0700 (MST)
Warren Block wrote:

> On Thu, 23 Jan 2014, dteske at FreeBSD.org wrote:
> 
> >> From: RW [mailto:rwmaillists at googlemail.com]
> >> Note that awk supports +, but not newfangled things like *.
> >
> > With respect to regex, what awk really needs is the quantifier
> > syntax...
> >
> > * = {0,} = zero or more
> > + = {1,} = one or more
> > {x,y} = any quantity from x inclusively up to y
> > {x,} = any quantity from x or more
> 
> I think RW meant to type that awk did not have the newfangled "?" for 
> non-greedy matches.

No I meant it doesn't support *, which had been used in all the
previous awk examples in this thread, and would have been
interpreted as a literal "*". 

$ echo "sid:2008120; re" | awk ' {match($0,/[0-9]+/) ; \
        s=substr($0,RSTART,RLENGTH) ; print "_",s,"_"} '
_ 2008120 _
21:12 (bob) ~
$ echo "sid:2008120; re" | awk ' {match($0,/[0-9]*/) ; \
        s=substr($0,RSTART,RLENGTH) ; print "_",s,"_"} '
_  _


On Thu, 23 Jan 2014 12:20:26 -0800
dteske at FreeBSD.org wrote:

> 1. sig-msg.map file according to OP shouldn't have the quotes that are
> present from the snort rule input
> 2. Doesn't ignore lines of disinterest

I know nothing about snort - I was just going on the previous posts,
but FWIW removing the quotes is just a matter of changing:
 
    msg = substr($0,RSTART+4, RLENGTH-5)

to 

    msg = substr($0,RSTART+5, RLENGTH-6)


More information about the freebsd-questions mailing list