I'm working with Nessus vulnerability scanner results such as the following:
results|192.168.1|192.168.1.100|general/tcp|19506|Security Note|\nSynopsis :\n\nInformation about the Nessus scan.\n\nDescription :\n\nThis script displays, for each tested host, information about the scan itself:\n\n - The version of the plugin set\n - The type of plugin feed (HomeFeed or ProfessionalFeed)\n - The version of the Nessus Engine\n - The port scanner(s) used\n - The port range scanned\n - The date of the scan\n - The duration of the scan\n - The number of hosts scanned in parallel\n - The number of checks done in parallel\n\nSolution :\n\nn/a\n\nRisk factor :\n\nNone\n\nPlugin output :\n\nInformation about this scan : \n\nNessus version : 4.4.0 (Build 15045)\nPlugin feed version : 201012101834\nType of plugin feed : HomeFeed (Non-commercial use only)\nScanner IP : 192.168.1.100\nPort scanner(s) : nessus_syn_scanner \nPort range : default\nThorough tests : no\nExperimental tests : no\nParanoia level : 1\nReport Verbosity : 1\nSafe checks : yes\nOptimize the test : yes\nCGI scanning : disabled\nWeb application tests : disabled\nMax hosts : 20\nMax checks : 4\nRecv timeout : 5\nBackports : None\nScan Start Date : 2010/12/11 13:14\nScan duration : 246 sec\n\n
I want those \n characters to be treated as a new line. I tried the following in transforms.conf and it didn't work:
[nessus]
MAX_EVENTS = 1
SEDCMD-carriage_return = /s\\n/\n
Is it possible for SED to replace a character with a special character?
Thx.
Craig
Try this...
SEDCMD-carriage_return = s/\\\n/\n/g
I do it in a rex at searchtime, so I'm using
rex field=SUMMARY mode=sed "s/\\\n/\n/g"
I've tried this as well, but the SEDCMD only works when run from the command line. When I put it in the props.conf, it doesn't make the change.
Can you please try the following stanza instead (seems like the sed syntax in your stanza is not correct)
[nessus]
MAX_EVENTS = 1
SEDCMD-carriage_return = s/\\n/\n/g