awk programming question

[Paul Schmehl]

I'm kind of stubborn.  There's lots of different ways to skin a cat, but I 
like to force myself to use the built-in utilities to do things so I can 
learn more about them and better understand how they work.

So, I'm trying to parse a file of snort rules, extract two string values 
and insert a double pipe between them to create a sig-msg.map file

Here's a typical rule:

alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] ET POLICY Outbound 
TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; 
sid:2008120; rev:1;)

Here's a typical sig-msg.map file entry:

9624 || RPC UNIX authentication machinename string overflow attempt UDP

So, from the above rule I would want to create a single line like this:

2008120 || E3[rb] ET POLICY Outbound TFTP Read Request

There are several ways I can extract one or the other value, and I've 
figured out how to extract the sid and add the double pipe, but for the 
life of me I can't figure out how to extract and print out sid || msg.

This prints out the sid and the double pipe:

echo `awk 'match($0,/sid:[0-9]*;/) {print substr($0,RSTART,RLENGTH)" || "}' 
/tmp/mtc.rules | tr -d ";sid"

It seems I could put the results into a variable rather than printing them 
out, and then print var1 || var2, but my google foo hasn't found a useful 
example.

Surely there's a way to do this using awk?  I can use tr for cleanup.  I 
just need to get close to the right result.

How about it awk experts?  What's the cleanest way to get this done?

-- 
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell