我正在编写一个小型bash脚本,它将搜索一个字符串,对其进行解码,然后回显结果。然而,我解析日志文件是在以下结构:使用awk返回相应的列
<filename/path to file> <signature>
到目前为止,我只提取签名,带他们通过正则表达式,然后解码任何已经匹配了正则表达式。我也想输出相当于我grepped像这样的签名文件:
<filename/path to file> <decoded signature>
<filename/path to file> <decoded signature>
什么我的电流输出一样如下:
<decoded signature>
<decoded signature>
这里是我的脚本:
#!/bin/bash
read -p $'\e[1;33mLogfile\e[0m: ' sigs
parse=$(awk 'NF > 1 {print $2}' "$sigs")
Array=($(grep -ra "$parse" /var/lib/clamav | grep -oP "(?<=^|[*{};])[A-Fa-f0-9]+(?=$|[*;{}])"))
for hex in "${Array[@]}"; do
converted="$(xxd -r -p <<< "$hex")"
echo -e "\e[92m$converted \e[0m"
done
如果我将日志文件的所有内容存储在一个数组中,其中的元素将是文件名和密钥的解码签名,这是一个好主意吗?
UPDATE
日志文件(LOGFILE.TXT) - >什么我解析;
/public_html/n0g6v/content/execution-after-redirect.html: {LDB}VT-malware33.UNOFFICIAL FOUND
/public_html/n0g6v/paypal-gateway.html: Html.Exploit.CVE.2015_6073
/var/lib/clamav/daily.cld - >在那里我得到签名HEX值解码;
Html.Exploit.CVE_2015_6073;Engine:51-255,Target:3;0&1;696e7365727461646a6163656e7468746d6c;6164646576656e746c697374656e6572{-30}646f6d6e6f646572656d6f766564*737761706e6f6465
=========================================== ==============
样品输入:
logfile.txt
输出:
/public_html/n0g6v/content/execution-after-redirect.html:
/public_html/n0g6v/paypal-gateway.html:
insertadjacenthtml
-------------------------------------------------------------------------------
/public_html/n0g6v/content/execution-after-redirect.html:
/public_html/n0g6v/paypal-gateway.html:
addeventlistener
============= ============================================
如何,我想它是:
样品输入:
logfile.txt
输出:
/public_html/n0g6v/content/execution-after-redirect.html:
<No match found for this signature>
/public_html/n0g6v/paypal-gateway.html:
insertadjacenthtml
addeventlistener
显示一些具体的(真实或现实的假)输入和所需的输出。我敢打赌,你会得到一个或几个答案,只需awk即可轻松完成整个任务。 – jas
谢谢。对样本输入/输出和预期样本进行了更新。 – McJohnson