-1

Looking at the xml file created by HitManPro I can see numerous entries like this one;

[Item type="Malware" malwareName="Trojan" score="0.0" status="None"]

This are the false positives.

I would like to replace the existing RegEX query that I use in a script (LabTech) with one that would look for anything like;

score="5.1" up to score="999.0"

I am new to Reg Ex queries, and I am having trouble building the search for digits inside the string score=" " .

Any help would be much appreciated. Below is a sample XML from hitmanPro

regards, Oscar Romero

<br>
HitmanPro Scan Completed Successfully.
Threats Found!
<hr>
Scan Date: 2015-10-17T15:16:31<BR>

<p>"
[Log computer="computer name" windows="6.1.1.7601.X64/12" scan="Normal" version="3.7.9.246" date="2015-10-17T15:16:31" timeSpentInSecs="125" filesProcessed="15922"]
    [Item type="Malware" malwareName="Malware" score="90.0" status="None"]
        [Scanners]
            [Scanner id="Bitdefender" name="Gen:Variant.Kazy.751212" /]
        [/Scanners]
        [File path="C:\Program Files (x86)\ESET\ESET Remote Administrator\Server\era.exe" hash="F7BB46D48B994539AFD400641CE8E4F85114FC7BA05A1BAA0D092F3A92817F13" /]
        [Startup]
            [Key path="HKLM\SYSTEM\CurrentControlSet\Services\ERA_SERVER\" /]    
        [/Startup]
    [/Item]
[/Log]
"</p>
toesslab
  • 5,092
  • 8
  • 43
  • 62
Oscar Romero
  • 1
  • 4
    [Don't use Regex to parse XML. Just... ***don't***.](http://stackoverflow.com/a/1732454/1079354) – Makoto Oct 20 '15 at 15:27
  • Thank you Makoto. I do respect your opinion. After all I have no experience, and you do. However, saying Don't with out an alternative, does little to help someone with out experience :) – Oscar Romero Oct 21 '15 at 16:01
  • So...the answer at the bottom of the link suggests that you use an XML parser instead. Or, at least, some other parser that is more suited to this data format than regex could ever be. – Makoto Oct 21 '15 at 16:02

2 Answers2

0

I have no idea on LabTech.

Anyway, the regex query that you can use:

\sscore="((?:5\.[1-9])|(?:[6-9]\.[0-9])|(?:[1-9]{1}[0-9]{1,2}\.[0-9]))"\s

or

\sscore="(5\.[1-9]|[6-9]\.[0-9]|[1-9]{1}[0-9]{1,2}\.[0-9])"\s

if you prefer without the (?: ... )

UPDATE: Okay, I made further changes to support the 5.1 minimum, and max 999.9

PS: This is my first answer on StackOverflow

Leow Kah Man
  • 445
  • 4
  • 13
  • @Makoto, thanks for the feedback. I have revised the query to fulfil query criteria – Leow Kah Man Oct 20 '15 at 17:07
  • Thank you Leow Kah Man. This was my first question on stackoverflow :). You got it (second option, no ?). LabTech has a built in RegEx Helper to test queries and yours worked like a charm :) LabTech is an RMM (Remote Monitoring and Management) tool by LabTechSoftware.com . Is work in progress, but with a lot of potential. We use HitmanPro for a second opinion AV/Malware detection. This will help us cut doen on false positive. Thank you very much! – Oscar Romero Oct 21 '15 at 16:03
  • They both serve what you need. One is easier for me to see - just personal gut-feel. – Leow Kah Man Oct 21 '15 at 16:09
0

There must be a shorter version than this, but this should work. 

score="(0\.[1-9]|[1-9]\.[0-9]|[1-9][0-9]\.[0-9]|[1-9][0-9][0-9]\.[0-9])"

Matches:

0.1
1.0
10.4
100.9
100.0
999.9
99.9
9.9
(etc.)

Does Not Match

0.0
0
(etc.)

Is regex the way to go?

As for whether regex is the right tool for the job, I probably agree with @Makoto that it isn't - unless you're doing a quick scan of the results as an FYI, rather than filtering results as part of a larger tool or application. In other words, except for the simplest cases, I agree with @Makoto that you want some xml parsing tool.

alexanderbird
  • 3,847
  • 1
  • 26
  • 35
  • Thank you alexanderbird. Leow Kah Man answer is what I was looking for. FOr future reference, do you know any good XML parsing command line tools? Something not bigger than a couple of files that could be quickly downloaded to be used to parse the file and pass results? – Oscar Romero Oct 21 '15 at 15:59
  • Sure, I recently looked into this to [answer this question](http://stackoverflow.com/a/33264931/3012550), and found [this post](http://stackoverflow.com/questions/15461737/how-to-execute-xpath-one-liners-from-shell) that provides several command line tools for executing [XPATH searches](https://msdn.microsoft.com/en-us/library/ms256086(v=vs.110).aspx). – alexanderbird Oct 21 '15 at 17:00