feature request: ragrep
Carter Bullard
carter at qosient.com
Tue Jun 17 10:18:03 EDT 2008
Hey CS Lee,
Now these regular expressions are not the highest performing things in
the world.
And if you write a program to test a flow against, say a couple
hundred regex's, you
will be hard pressed to maintain 10K records per second, so, ...., how
important is
this start the search x bytes in front of the data?
Most of the snort filters that are looking at content do offsets for
performance,
not necessarily to have better filters. We can do an offset search,
by modifying
the call to the -e option to have something like this"
-e s[10]:"regex"
If you have more than one filter.
Carter
On Jun 17, 2008, at 12:51 AM, CS Lee wrote:
> Hi Carter,
>
> The repetition works, I try to apply .{5,} and it will do at least
> with minimum 5 character before the matching.
>
> Thanks for the clue, I do use repetition but haven't use it with
> ragrep, i will try out the s: and d: matching.
>
> Blame my brain damage ;]
>
>
>
> On Tue, Jun 17, 2008 at 1:57 AM, Carter Bullard <carter at qosient.com>
> wrote:
> Yes, put a "s:" or a "d:" in front of the string.
> Carter
>
>
> On Jun 16, 2008, at 1:19 PM, Nick Diel wrote:
>
>> Hey guys,
>>
>> Is is possible to grep only the source or the destination user data?
>>
>> Thanks,
>> Nick
>>
>> On Mon, Jun 16, 2008 at 10:37 AM, Carter Bullard
>> <carter at qosient.com> wrote:
>> Hey CS Lee,
>> So can't you specify this using regular expression anchors and
>> repetition? So you want to find "root" anywhere after 11 characters
>> from the front of the user data.
>>
>> -e "^.{11}.*root"
>>
>> The '^' anchors the search at the start of the string. the ".{11}"
>> requires
>> that there be 11 characters of something, and then anywhere after
>> that,
>> the regular expression will match 'root'.
>>
>> Does that do it?
>>
>> Carter
>>
>> On Jun 15, 2008, at 11:05 AM, CS Lee wrote:
>>
>>> hi carter,
>>>
>>> I'm making a request about ragrep to add the search range offset.
>>> For example the matching only apply to first 10 bytes in user
>>> data, or between 25-30 bytes in user data. With the range
>>> specification it can reduce false positive to filter desired flows.
>>>
>>> Thanks.
>>>
>>> --
>>> Best Regards,
>>>
>>> CS Lee<geek00L[at]gmail.com>
>>>
>>> http://geek00l.blogspot.com
>>
>>
>
>
>
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20080617/5fffe49d/attachment.html>
More information about the argus
mailing list