ragrep-2.4.2.tar.gz

[Carter Bullard]

Gentle people,
   I have uploaded ragrep(), the GNU egrep for the
captured user data in an Argus stream.  This is simply
the GNU grep-2.4.2 distribution, but hacked to be an
Argus client.  You use it by specifying the regular
expression you want to grep for using the "-e expression"
option.  So if you have Argus data that has user data
included, then use ragrep to grep through the data.

   ragrep -e HTTP -r /tmp/argus.file

should show you all the connections that have the string
HTTP in either the source or destination user data buffers.
This can be used to show you all the web traffic, regardless
of what port is being used.  If you want cgi scripts only
for HTTP traffic, and you are capturing enough data with
an appropriate -U option, then things like:

   ragrep -e .cgi -r /tmp/argus.file

will select out the connections that involved cgi scripts.

To make it, untar the distribution in the ./clients directory,
and then:
   cd ragrep-2.4.2
   ./configure
   ./make

I will also be creating a POSIX ragrep(), that will be in
the standard distribution, which will be much smaller, but
this was the first experiment in processing user data.

Do test it out, I'm sure that there will be some bugs to
report.  Regular expressions are pretty powerful stuff,
so have at it.  The distribution is at:

ftp://qosient.com/dev/argus/ragrep-2.4.2/ragrep-2.4.2.tar.gz

Thanks!

Carter


Carter Bullard
QoSient, LLC
300 E. 56th Street, Suite 17A
New York, New York  10022

carter at qosient.com
Phone +1 212 813-9426
Fax   +1 212 813-9426
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20001113/17be9a5f/attachment.html>