I have the following text file output.txt that I created (it has 15 colums including symbol | ):
[66] | alert:n | 3.0 | 10/22/2020-14:45:50.066928 | local_ip | 123.123.123.123 | United States of America | SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
[67] | alert:n | 3.0 | 10/22/2020-14:45:51.096955 | local_ip | 12.12.12.11 | United States of America | SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
[68] | alert:n | 3.0 | 10/22/2020-14:45:53.144942 | 123.123.123.123 | local_ip | United States of America | SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
[69] | alert:n | 3.0 | 10/22/2020-14:45:57.176956 | local_ip | 68.73.203.109 | United States of America | SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
[70] | alert:n | 3.0 | 10/22/2020-14:46:05.240953 | 123.123.123.123 | local_ip | United States of America | SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
[71] | alert:n | 3.0 | 10/22/2020-14:46:21.624979 | local_ip | 68.73.203.109 | United States of America | SURICATA STREAM ESTABLISHED SYNACK resend with different ACK
I'm familiar with the bash script, let say if I want to count total specific ip of 123.123.123.123 that can be found in the 9th column, I can implement like this:
#!/bin/bash
ip = "123.123.123.123"
report = output.txt
src_ip_count=$(grep "${ip}" "${report}" | awk '{ print $9 }' | grep -v "local_ip" | uniq -c | awk '{ print $1 }')
and the output is:
[root#me lua-output]# ./test.sh
2
How do I implement the same code above in lua ? I know there is popen function can be used.. but is there a native way to do this in lua ? Also if I use popen, I also need to pass variable $ip and $report inside that command which I'm not sure if it's possible.
There's a bunch of ways to go about this, really. Assuming you read your data from stdin (though the same works for any file you manually open), you can do something like this:
local c = 0
for line in io.lines() do -- or or file:lines() if you have a different file
if line:find("123.123.123.123") -- Only lines containing the IP we care about
if (true) -- Whatever other conditions you want to apply
c = c + 1
end
end
end
print(c)
Lua doesn't have a concept of what a "column" is, so you have to build that yourself as well. Either use a pattern to count spaces, or split the string into a table and index it.
You mentioned that if it is possible to use variable inside popen in lua. It is possible, and you can use grep command in lua.
So in lua you can do this:
-- lua script using grep example
ip = "123.123.123.123"
report = output.txt
local cmd = "grep -F " .. ip .. " " .. report .. " | awk '{ print $9 }' | grep -v 'local_ip' | uniq -c | awk '{ print $1 }'"
local handle = io.popen(cmd)
local src_ip_count = handle:read("*a")
print(src_ip_count)
handle:close()
output:
2
Related
i just finshed scan a host on my internal network ... and it's vuln to smb i need to grep the select lines from the scan result
root#kali:~# nmap -p445 --script smb-vuln-* 192.168.99.50
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-13 00:21 EET
Nmap scan report for 192.168.99.50
Host is up (0.19s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:50:56:BA:7F:57 (VMware)
Host script results:
| smb-vuln-ms08-067:
| VULNERABLE:
| Microsoft Windows system vulnerable to remote code execution (MS08-067)
| State: VULNERABLE
| IDs: CVE:CVE-2008-4250
| The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2,
| Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary
| code via a crafted RPC request that triggers the overflow during path canonicalization.
|
| Disclosure date: 2008-10-23
| References:
| https://technet.microsoft.com/en-us/library/security/ms08-067.aspx
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-ms17-010:
| VULNERABLE:
| Remote Code Execution vulnerability in Microsoft SMBv1 servers (ms17-010)
| State: VULNERABLE
| IDs: CVE:CVE-2017-0143
| Risk factor: HIGH
| A critical remote code execution vulnerability exists in Microsoft SMBv1
| servers (ms17-010).
|
| Disclosure date: 2017-03-14
| References:
| https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
| https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
|_ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0143
Nmap done: 1 IP address (1 host up) scanned in 7.11 seconds
i just want to grep the name of testes vuln and the status : like this
| smb-vuln-ms08-067:
| VULNERABLE:
| smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
| smb-vuln-ms17-010:
| VULNERABLE:
Filter the output of nmap through next pipeline:
sed -e '/^..smb-vuln-[^:]*: false/p' -e '/^..smb-vuln-[^:]*: *$/{n;p}' -e d
Explanation:
the first sed command prints the lines beginning with a specific pattern
and ending with ": false"
the second command prints the lines beginning
with the same pattern but with nothing after the ":" and also the
next line; {n;p} means add next line and print
the third command d removes everything else from the output
Looking for a solution to convert Fit fixture for FitNesse test to Slim.
I got the Command-Line Fit fixture.
Since all my Fitnesse test system is running on Slim I need to have CommandLineFixture as Slim to execute bash script from my test.
Any other workaround for this should work for me.
I am trying to execute a script from FitNesse test and this script writes some text in file present in a server where my Fitnesse server is running.
But what I am observing with the provided fixture its opening file and not writing any text into it.
So just wanted to check do we have any constraint with Fitnesse to execute a script which writes into a file.
Also, I have given all rwx permission to the text file
Below is my modified script:
!define TEST_SYSTEM {slim}
!path ../fixtures/*.jar
|Import |
| nl.hsac.fitnesse.fixture.slim.ExecuteProgramTest |
|script |
|set |-c |as argument|0 |
|set |ls -l / |as argument|1 |
|execute|/bin/bash |
|check |exit code |0 |
|show |standard out |
|check |standard error|!--! |
Executing the above test fetched no response and gives the result as:
Test Pages: 0 right, 0 wrong, 1 ignored, 0 exceptions
Assertions: 0 right, 0 wrong, 0 ignored, 0 exceptions
(0.456 seconds)
I had a helper method to start a program in my my fixture library already, but I started work on fixture today. Would the execute program test fixture work for you?
Example usage:
We can run a program with some arguments, check its exit code and show its output.
|script |execute program test |
|set |-c |as argument|0|
|set |ls -l / |as argument|1|
|execute|/bin/bash |
|check |exit code |0 |
|show |standard out |
|check |standard error|!--! |
The default timeout for program execution is one minute, but we can set a custom timeout. Furthermore we can control the directory it is invoked from, set all arguments using a list and get its output 'unformatted'.
|script |execute program test |
|check |timeout |60000 |
|set timeout of |100 |milliseconds|
|set working directory|/ |
|set |-c, ls -l |as arguments|
|execute |/bin/bash |
|check |exit code |0 |
|show |raw standard out |
|check |raw standard error|!--! |
The timeout can also be set in seconds, and pass environment variables (and the process's output is escaped to ensure it is displayed properly).
|script |execute program test |
|set timeout of|1 |seconds |
|set value |Hi <there> |for |BLA|
|set |-c |as argument|0 |
|set |!-echo ${BLA}-!|as argument|1 |
|execute |/bin/bash |
|check |exit code |0 |
|check |raw standard out |!-Hi <there>
-!|
|check|standard out|{{{Hi <there>
}}}|
If this full URL:
http://domain.com/dir/file.css
Is an "absolute URL", where the link will work from any website.
And this:
../dir/file.css
Is a "relative URL", where the link will only work from that directory path.
What is the combination of those two called…
/dir/file.css
Where the link will work from any location on that site?
Your first example is a URL. Your second and third examples are not URLs, they're paths. If the path begins with / then it's an absolute path, otherwise it's a relative path.
Web browsers generally understand how to interpret a path in relation to the "current" host and path.
You’re basically talking about a URI scheme. In your example:
/dir/file.css
This is considered the path:
/dir/
And this is the filename:
file.css
So saying “hostname plist path & filename” is a safe bet. Or perhaps /dir/file.css can be considered the root path since the / at the beginning anchors it to the hostname part of the URL.
This diagram from Wikipedia explains it well:
foo://username:password#example.com:8042/over/there/index.dtb?type=animal&name=narwhal#nose
\_/ \_______________/ \_________/ \__/ \___/ \_/ \______________________/ \__/
| | | | | | | |
| userinfo hostname port | | query fragment
| \________________________________/\_____________|____|/ \__/ \__/
| | | | | | |
| | | | | | |
scheme authority path | | interpretable as keys
name \_______________________________________________|____|/ \____/ \_____/
| | | | | |
| hierarchical part | | interpretable as values
| | |
| path interpretable as filename |
| ___________|____________ |
/ \ / \ |
urn:example:animal:ferret:nose interpretable as extension
path
_________|________
scheme / \
name userinfo hostname query
_|__ ___|__ ____|____ _____|_____
/ \ / \ / \ / \
mailto:username#example.com?subject=Topic
my first post here.
In summary: I have a netstat output, using "netstat -an" command in Windows, and I would like to get the top number of one of the columns.
The output of netstat is something like this:
TCP 10.45.43.232:50387 10.42.48.61:902 ESTABLISHED
TCP 10.45.43.232:50559 46.228.47.115:443 CLOSE_WAIT
TCP 10.45.43.232:52501 10.48.48.128:3389 ESTABLISHED
TCP 10.45.43.232:58000 10.46.48.243:63713 ESTABLISHED
The result I want is:
58000
That number is the biggest value on the second column, after the ":" character
So, in essence, I want a grep (and/or sed, awk, etc) which can search through a file, only look in the first 25 characters of each line, and get the highest number after a ":" character.
Tell me if you need more information, thanks in advance!
This can be an approach:
netstat ... | sort -t':' -nrk2 | awk -F"[ :]" '{print $8; exit}'
By pieces:
Sort it based on : as delimiter and taking second column into account:
$ netstat ... | sort -t':' -nrk2
TCP 10.45.43.232:58000 10.46.48.243:63713 ESTABLISHED
TCP 10.45.43.232:52501 10.48.48.128:3389 ESTABLISHED
TCP 10.45.43.232:50559 46.228.47.115:443 CLOSE_WAIT
TCP 10.45.43.232:50387 10.42.48.61:902 ESTABLISHED
Print the biggest:
$ netstat ... | sort -t':' -nrk2 | awk -F"[ :]" '{print $8; exit}'
58000
Or better, using Mark Setchell's approach to fetch the last item:
$ netstat ... | sort -t':' -nrk2 | awk '{sub(/.*:/,"",$2); print $2; exit}'
58000
if the output has leading space/tabs:
netstat...|awk -F':|\\s*' '{p=$4>p?$4:p}END{print p}'
if there is no leading spaces:
netstat ..| awk -F':|\\s*' '{p=$3>p?$3:p}END{print p}'
I would go with this:
netstat -an | awk '{sub(/.*:/,"",$2); if($2>max)max=$2} END{print max}'
The sub() part strips all characters up to and including a colon, off the second field thereby extracting the port. If that is greater than max, max is updated. At the end, max is printed.
Here is yet another way using GNU awk:
netstat ... | awk '{split($2,tmp,/:/); a[tmp[2]]++}END{n=asorti(a);print a[n]}'
We split the second field of second column (delimited by :) in a tmp array
We populate the values as keys in array a.
In the END we use GNU awk asorti function which sorts the keys and print the highest.
You can also do it with coreutils alone:
netstat ... | cut -d: -f2 | cut -d' ' -f1 | sort -nr | head -n1
Output:
58000
Is it possible to obtain the status of Bacula backup system Director in some parseable format?
It looks like the human-readable representation (one you can see when using bacula-console) is formed on the director side during the TCP control connection.
In what language? The easiest way would be to invoke bconsole and send command as stdin, then parse stdout and stderr.
Bacula has interactive mode in bconsole, but if you know commands in advance, this is not an issue.
You can also pull directly from the database, depending on your needs.
Example:
mysql> select JobId, Name, JobStatus from Job ORDER BY JobId DESC Limit 10;
+--------+-------------------------------------+-----------+
| JobId | Name | JobStatus |
+--------+-------------------------------------+-----------+
| 231215 | dbs16 Daily MysqlC XBM Snapshot | T |
| 231214 | dbs09 Daily MysqlS XBM Snapshot | T |
| 231213 | dbs10 Daily MysqlQ XBM Snapshot | T |
| 231212 | dbs11 Daily MysqlT XBM Snapshot | T |
| 231211 | dbs16 Daily MysqlI XBM Snapshot | T |
| 231210 | dbs19 Daily MysqlE XBM Snapshot | T |
| 231209 | dbs18 Daily MysqlB XBM Snapshot | R |
| 231208 | dbs17 Daily MysqlG XBM Snapshot | R |
| 231207 | Daily Catalog Backup | C |
| 231206 | adm6 svnops SVN Backup | R |
+--------+-------------------------------------+-----------+