argus client regex matching
Carter Bullard
carter at qosient.com
Wed Apr 15 11:34:24 EDT 2009
So looking at tools like ngrep(), its pretty clear that most bypass the
regex() library when matching binary patterns in binary buffers.
ngrep() has the "-X" option to declare that the matching string is
a hex number.
Not sure why this is broken, but regex() may not be the correct library
to use here? Does anyone have any understanding as to why regex()
is the wrong way to go, when trying to match in binary buffers?
Carter
On Apr 15, 2009, at 11:18 AM, Carter Bullard wrote:
> Hey CS Lee,
> Hmmmmm, well I can't get grep() to match a binary file using the type
> of pattern you are using either, for that matter, I can't get
> egrep() to
> match a binary file using '-e "\x2C"', but I can get it to match using
> '-e ","' (match a ","). \x2C is the hexidecimal for comma.
>
> This is on my Mac OS X (leopard).
>
> So, I'm not sure what I'm suppose to think about that. What do you
> think?
>
> Carter
>
> On Apr 15, 2009, at 12:41 AM, CS Lee wrote:
>
>> hi carter,
>>
>> I have reported this previously too, about the regex matching to
>> grep the flow based on the user data bytes.
>>
>> it seems that if i want to search the flow based on hex codes -
>>
>> ra -nr argus.out -e "\x4d\x5a" doesn't seem to work, this is latest
>> argus client.
>>
>> I'm testing out the patch now
>>
>>
>> Cheers!
>>
>> --
>> Best Regards,
>>
>> CS Lee<geek00L[at]gmail.com>
>>
>> http://geek00l.blogspot.com
>> http://defcraft.net
>
Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York 10022
+1 212 588-9133 Phone
+1 212 588-9134 Fax
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090415/492281e6/attachment.html>
More information about the argus
mailing list