Jump to content

Recommended Posts

Posted (edited)

Hi,

I am trying to parse a log file and wanted to extract just the ip address after "Callback address:" but I can't seem to get the expression correct

Here is the test string, the info I'd like to get is highlighted in bold.

"Some other text Callback address: 11.22.33.44 C&C risk level: blah blah blah"

Thanks in advance!

Edited by antmar904
  • Moderators
Posted

@antmar904 One of our RegEx gurus will probably wander by soon to make this better, but this should give you a place to start:

$sString = "Some other text Callback address: 11.22.33.44 C&C risk level: blah blah blah"
$sNewString = StringRegExpReplace($sString, "[^0-9.]+", "")
    ConsoleWrite($sNewString & @CRLF)

 

"Profanity is the last vestige of the feeble mind. For the man who cannot express himself forcibly through intellect must do so through shock and awe" - Spencer W. Kimball

How to get your question answered on this forum!

Posted
1 minute ago, JLogan3o13 said:

@antmar904 One of our RegEx gurus will probably wander by soon to make this better, but this should give you a place to start:

$sString = "Some other text Callback address: 11.22.33.44 C&C risk level: blah blah blah"
$sNewString = StringRegExpReplace($sString, "[^0-9.]+", "")
    ConsoleWrite($sNewString & @CRLF)

 

Hi @JLogan3o13

The log file just changed and should be the same moving forward.  

Here is all the contents of the log file and the data that I would like to capture is highlighted in bold.  Basically the ip address listed after "Callback address:

Thanks again!  RegEx is not my thing.

String:

C&C callback detected Compromised Host: COMPUTER1 IP Address: 122.111.222.33 Domain: Company\Workstations\ Date/Time: 1/22/2018 7:26:30 Callback address: 11.22.33.444 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked

Posted
4 minutes ago, JLogan3o13 said:

Yes, that syntax would have been nice to know in the first place. You'll have to wait for someone more familiar with regex to wander by.

No worries, Ill keep playing around with it in the meantime.  Thanks again.

Posted (edited)

Hello.

$OrgString="Callback address: 11.22.33.222 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked"
$RegEx="(^.+?)(\b(?:\d{1,3}\.){3}\d{1,3}\b)(.+$)"
$RegExRepl="$2" ; $1 is the string before, $3 the string behind your IP address

$IPOnly=StringRegExpReplace($OrgString,$RegEx,$RegExRepl)

MsgBox(0,"Replace Result",$IPOnly)

 

As your LOG file will only hold valid IP addresses, it's obviously not necessary, to check for valid IP addresses (numbers < 1..254 vs. 0..255)

 

regards, Rudi.

Edited by rudi

Earth is flat, pigs can fly, and Nuclear Power is SAFE!

Posted
14 minutes ago, rudi said:

Hello.

$OrgString="Callback address: 11.22.33.222 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked"
$RegEx="(^.+?)(\b(?:\d{1,3}\.){3}\d{1,3}\b)(.+$)"
$RegExRepl="$2" ; $1 is the string before, $3 the string behind your IP address

$IPOnly=StringRegExpReplace($OrgString,$RegEx,$RegExRepl)

MsgBox(0,"Replace Result",$IPOnly)

 

As your LOG file will only hold valid IP addresses, it's obviously not necessary, to check for valid IP addresses (numbers < 1..254 vs. 0..255)

 

regards, Rudi.

Hello @rudi

Thank you for your help however the log file may contain more then one ip address and I am only looking to retreive the ip address that comes right after "Callback address:"

Here is the whole test string:

"C&C callback detected Compromised Host: COMPUTER1 IP Address: 122.111.222.33 Domain: Company\Workstations\ Date/Time: 1/22/2018 7:26:30 Callback address: 11.22.33.444 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked"

Posted (edited)

Hi.

Try this:

Local $OrgString="C&C callback detected Compromised Host: COMPUTER1 IP Address: 122.111.222.33 Domain: Company\Workstations\ Date/Time: 1/22/2018 7:26:30 Callback address: 11.22.33.444 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked "
Local $RegEx="Callback address: ([\d.]*)"

Local $IPOnly=StringRegExp($OrgString,$RegEx, 1)

MsgBox(0,"Result",$IPOnly[0])

It shows the first IP after "Callback address: " (there is a trailing space).

Regards, Conrad

Edited by Simpel
typo
SciTE4AutoIt = 3.7.3.0   AutoIt = 3.3.14.2   AutoItX64 = 0   OS = Win_10   Build = 19044   OSArch = X64   Language = 0407/german
H:\...\AutoIt3\SciTE     H:\...\AutoIt3      H:\...\AutoIt3\Include     (H:\ = Network Drive)

   88x31.png  Any of my own code posted anywhere on the forum is available for use by others without any restriction of any kind.

Posted

This one extracts the valid IP address after the first occurence of "Callback address: " (11.22.33.444 is not a valid IP)

 

Local $sText =  "C&C callback detected Compromised Host: COMPUTER1 IP Address: 122.111.222.33 Domain: Company\Workstations\ Date/Time: 1/22/2018 7:26:30 Callback address: 11.22.33.444 C&C risk level: Dangerous C&C list source: Relevance Rule Action: Blocked"


Local $aResult = StringRegExp ($sText, "(?i)Callback address: ((?:(25[0-5]|2[0-4]\d|1\d{2}|[1-9]?\d)\.){3}(?2))\b", 1)
MsgBox(0, "", (@error ? "No valid IP found" : $aResult[0]) )

 

Posted

Sorry all I removed the ip address for security purposes.  

With running this 
 

.*Callback address: ([\d.]+).*

on my log file, I am getting the expected results. 

Thank you all very much for your help.

I really need to learn RegEx.

Posted (edited)

What are you doing with the returned list of callback addresses?  These look like TrendMicro logs getting parsed to get bounced off a list of IOCs or fed to a firewall...If there is further automation to be done and you have access to the AV Control Manager, then the rabbit hole goes deep and we love trimming steps out of processes at large (FD: I may or may not be our Trend admin).

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Posted
2 hours ago, iamtheky said:

What are you doing with the returned list of callback addresses?  These look like TrendMicro logs getting parsed to get bounced off a list of IOCs or fed to a firewall...If there is further automation to be done and you have access to the AV Control Manager, then the rabbit hole goes deep and we love trimming steps out of processes at large (FD: I may or may not be our Trend admin).

Yes these are logs from TrendMicro that is being feed into out SIEM system which is why I needed help with the RegEx to create a custom field with the call back address.

Posted

cool, are you writing the PCRE for index or search time parsing?  I only ask because we have some PCRE wizards here who could easily write you one that parses that log into all the fields using this as a model:

http://docs.trendmicro.com/en-us/enterprise/control-manager-60/ch_ag_tut_data_view/data_threat/data_threat_overall/data_threat_cnc.aspx

FD: I may or may not be the current leader of the Splunk user's group and also have a total boner for SIEM stuff.  And is this all OfficeScan stuff or do you get DDI logs too?  Because I might hit you up with questions if yall are running DDI.

 

 

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Posted
28 minutes ago, iamtheky said:

cool, are you writing the PCRE for index or search time parsing?  I only ask because we have some PCRE wizards here who could easily write you one that parses that log into all the fields using this as a model:

http://docs.trendmicro.com/en-us/enterprise/control-manager-60/ch_ag_tut_data_view/data_threat/data_threat_overall/data_threat_cnc.aspx

FD: I may or may not be the current leader of the Splunk user's group and also have a total boner for SIEM stuff.  And is this all OfficeScan stuff or do you get DDI logs too?  Because I might hit you up with questions if yall are running DDI.

 

 

Yes the PCRE is for indexing.  Sorry we don't use Trends DDI :(

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...