[COFF] Requesting thoughts on extended regular expressions in grep.
Grant Taylor via COFF
coff at tuhs.org
Sat Mar 4 05:36:35 AEST 2023
On 3/3/23 9:12 AM, Dave Horsfall wrote:
> I can't help but provide an extract from my antispam log summariser
> (AWK):
>
> # Yes, I have a warped sense of humour here.
> /^[JFMAMJJASOND][aeapauuuecoc][nbrrynlgptvc] [ 0123][0-9] / \
> {
> date = sprintf("%4d/%.2d/%.2d",
> year, months[substr($0, 1, 3)], substr($0, 5, 2))
Thank you for sharing that Dave.
> Etc. The idea is not to validate so much as to grab a line of interest
> to me and extract the bits that I want.
Fair enough.
Using bracket expressions for the three letters is definitely another
idea that I hadn't considered.
But I believe I like what I think is -- what I'm going to describe as --
the more precise alternation listing out each month. (Jan|Feb|Mar...
Such an alternation is not going to match Jer like the three bracket
expressions will. I also believe that the alternation will be easier to
maintain in the future. Especially by someone other than me that has
less experience with REs.
> In this case I trust the source (the Sendmail log), but of course
> that is not always the case...
I trust that syslog will produce consistent line beginnings more than I
trust the data that is provided to syslog. But I'd still like to be
able to detect "Jer" or "Dot" if syslog ever tosses it's cookies.
> When doing things like this, you need to ask yourself at least the
> following questions:
>
> 1) What exactly am I trying to do? This is fairly important :-)
Filter out known to be okay log entries.
> 2) Can I trust the data? Bobby Tables, Reflections on Trusting
> Trust...
Given that I'm effectively negating things and filtering out log entries
that I want to not see (because they are okay) I'm comfortable with
trusting the data from syslog.
Brown M&Ms come to mind.
> 3) Etc.
>
> And let's not get started on the difference betwixt "trusted" and
> "trustworthy" (that distinction keeps security bods awake at night).
ACK
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.tuhs.org/pipermail/coff/attachments/20230303/eaaed4d0/attachment.p7s>
More information about the COFF
mailing list