0

We have this regex:\\*.*?(.600[0-9]).*?.(LISTEN|ESTABLISHED)

OS = Solaris 10

The purpose of this regex is to match the ports in output of "netstat -an" and report if any ports between 6000-6009 are getting used. The only problem is if I have something like this (sample output as mentioned below), the regex matches everything with 6000 in it. It matches 46000, 60006 and 6000. Because of that we are getting faulty alerts. How can we fix this to just ONLY pick up ports (6000-6009)? Please help. 

10.10.10.10.2055 10.10.4.10.60006 49552 0 49552 0 ESTABLISHED

10.10.10.10.6360 10.10.4.10.6000 65290 0 49640 0 LISTEN

10.10.10.10.2044 10.10.4.10.46000 49552 0 49552 0 ESTABLISHED
Improve this question

2 Answers 2

Reset to default
2

Your '.' before 600 is matching any character not just '.' (why you got 46000) and you need to match for a space after 600x (why you got 60006)

\\*.*?([.]600[0-9]) .*?.(LISTEN|ESTABLISHED)
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You can use awk to match only field 2 for port number pattern and last field for status:

awk '$NF ~ /(LISTEN|ESTABLISHED)/ && $2 ~ /\.600[0-9]/
Improve this answer

2 Comments

We are using Tripwire and regex is the only way out there.
In that case try: \.600[0-9] .*?(LISTEN|ESTABLISHED) regex

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.