Hello,
So basically I've got this field value :
Refer to <A HREF='https://technet.microsoft.com/library/security/ms15-011' TARGET='_blank'>MS15-011</A>
I'd like to have the URL and the Microsoft reference switched as well as the whole phrase cleaner (getting rid off the 'TARGET=..') That would result in :
Refer to MS15-011 : https://technet.microsoft.com/library/security/ms15-011
I've tried various things like sed (| rex field=Remediation mode=sed (HREF-{[^}]+})). Thing is, I don't really want to extract fields, that might make things trickier assuming I have all my fields extracted I'd then have to put them back together.
I think the better solution would be something that would replace everything straight away, within my main field value.
Any help would be appreciated, thank you 🙂
Like this:
| makeresults
| eval Remediation="Refer to <A HREF='https://technet.microsoft.com/library/security/ms15-011' TARGET='_blank'>MS15-011</A>"
| rename COMMENT AS "Everything above generates test data; everything below is your solution"
| rex field=myField mode=sed "s%<A HREF='(.*)' TARGET='_blank'>(.*)</A>.*$%\2 \1%"
All done in a single command.
Hi olivier,
I don't think you could fit the solution into only one simple command, but my solution isn't to complicated either.
<yoursearch> | rex field=Remediation "(?:^)(?<string1>[^\<]+)[^\']+\'(?<string2>[^\']+)[^\>]+\>(?<string3>[^\<]+)" | eval Remediation = string1 + " " + string3 + " : " + string2
Hi olivier120987
try this
your_search
| rex "HREF\=\'(?<url>[^\']*)\'\s+TARGET\=\'[^\>]*\>(?<MS_Ref>[^\<]*)"
| eval final_field="Refer to "+MS_Ref+" : "+url
| ...
Test regex at https://regex101.com/r/8BsDLD/1
Bye.
Giuseppe
Try this
your current search with field Remediation
| rex field=Remediation mode=sed "s/(Refer to )([^\']+\')([^\']+)([^\>]+\>)([^\<]+).+/\1\5 : \3/g"
Holy moly.... what an amazing solution!!! 😃
Thank you so much! You got me a huge step forward..
Annoyingly, it ignores the rest of the URLS.. I happen to have multiple href/microsoft ref.. :
Here is a more complete sample :
Refer to <A HREF='https://technet.microsoft.com/library/security/ms15-011' TARGET='_blank'>MS15-011</A>to obtain further patch information.<P>In some environments, to be completely protected from the vulnerability, additional configuration by a system administrator is required in addition to deploying this security update. Refer to Microsoft Knowledge Base Article <A HREF='https://support.microsoft.com/en-us/help/3000483' TARGET='_blank'>KB3000483</A> to obtain further information.<P><P>Patch:<br/>Following are links for downloading patches
Try this:
| rex field=Remediation mode=sed "s/(Refer to[^<]+)([^\']+\')([^\']+)([^>]+>)([^<]+)/\1\5 : \3/g"
Edit: darn... too late again
My solution was tailored based on your example in question, so not handling multiple URLs.
What would be the expected output for this sample?
Give this a try as well
s/(Refer to[^\<]+)([^\']+')([^\']+)([^\>]+\>)([^\>]+)\S+([^\.]+\.)/\1\5 : \3\6/g