search

fkie-cad / Logprep

log data pre processing, generation and shipping in python
https://logprep.readthedocs.io/en/latest/
GNU Lesser General Public License v2.1
27 stars 7 forks source link

Replacing a value at the end of a string #643

Open ppcad opened 1 month ago

ppcad commented 1 month ago

I would like to replace certain values in a string with other values.

i.e. replace the number in the following string with NUMBER:

Input: "...this is a variable text... CONSTANT 543435"
Output: "...this is a variable text... CONSTANT NUMBER"

There can be multiple rules with a different CONSTANT that also require this replacement.

Is it possible to achieve this with a single processor, except for the normalizer? I have found a work-around using the dissector. Here I use & to get a prefix at the end, assuming & never appears in the string: %{target} CONSTANT %{}&%{+( CONSTANT NUMBER)target} Is there a better way using one processor? This work-around would not be necessary if the dissector could add a suffix.

ekneg54 commented 1 month ago

no... there is no solution yet. we could implement a new processor for this. I do not suggest to extend the dissector for that, because it is build to dissect not to replace. A new processor replacer should do the job.

ppcad commented 1 month ago

Thanks, this sounds like a good solution to me.

ekneg54 commented 1 month ago

we could implement this with the same syntax as the dissector. Then translate this to a python string template in the rule and then process the event with this built template. see: https://docs.python.org/3/library/string.html#template-strings

ppcad commented 1 month ago

This looks good. We would also need to handle the case where some variable part of a text shouldn't be replaced.

Input: Replace this number 4325435, but not this one 645354
Output: Replace this number NUMBER, but not this one 645354