about processing log lines with single qoutes and backticks.

[joe-at-startupmedia]

Thanks for contributing this library, I was looking for something to process log files that doesn't use a ridiculous amount of ram. low and behold a 17 year C program would do it!

I'm trying something pretty simple here without having to do a bunch of regex parsing which I think is probably the ideal solution but not my preferred solution. I'm trying to send the line below into a command which would match the following:

[root@startup-nginx-1 ~]# cat sample-output.text
2024/08/27 18:41:34 [error] 4195#0: *117921 [client 36.255.3.63] ModSecurity: Access denied with code 444 (phase 2). Matched "Operator `Ge' with parameter `5' against variable `TX:ANOMALY_SCORE' (Value: `5' ) [file "/etc/nginx/conf/owasp-modsecurity-crs-api/rules/REQUEST-949-BLOCKING-EVALUATION.conf"] [line "81"] [id "949110"] [rev ""] [msg "Inbound Anomaly Score Exceeded (Total Score: 5)"] [data ""] [severity "2"] [ver ""] [maturity "0"] [accuracy "0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-generic"] [hostname "159.65.191.112"] [uri "/wp-login.php"] [unique_id "17247840946.605311"] [ref ""], client: 36.255.3.63, server: thumbor.com, request: "GET /wp-login.php HTTP/1.1", host: "thumbo.com", referrer: "http://thumbor.com/wp-login.php"

[root@startup-nginx-1 ~]# cat .cwatch/modsec.conf
watchfor /ModSec/
  exec "/etc/cwatch/exec/modsec.bash '$*'"

That results in the following error:

-bash: syntax error near unexpected token `)'

The solution I came up with was replacing backticks and single quotes with a double quote: https://github.com/Orc/cwatch/pull/1/commits/e9e9511714af0f5d547955f199c73f900402e72a.

Is there something built into cwatch that can automatically handle this?

Btw, what is the format of the code called? Doesn't seem to anything offered by indent out of the box and the tabs look terrible in vim. Do you have a particular formatting tool you use?

[Orc]

I use vi with tabstops set to 8.

Log entries with fancy quotes. Ugh, that's a hell of a thing; If you made an optional sanitizer (either enabled on the commandline or as an option to exec -- maybe something like exec dequote <command>) I'd happily accept it

[joe-at-startupmedia]

Is that what they call them? fancy quotes? Looks more like horrendous quotes. I tried to find a configuration directive in modsec to adjust the log format but it doesn't seem to exist, at least it's not readily apparent. I'll see if I have some time to make that contribution. Yes something like dequote seems like it would be useful, I was trying to find a way to make a useful abstraction there but I'm not at all familiar with that yacc parser which seems like it'd be involved here.