argus client regex matching
CS Lee
geek00l at gmail.com
Wed Apr 15 12:01:24 EDT 2009
hi carter,
Yeah, pcregrep is working, and i think ngrep is using pcre.
I try echo 'M' | pcregrep "\x4d" and it works on linux/bsd/osx.
On Wed, Apr 15, 2009 at 11:34 PM, Carter Bullard <carter at qosient.com> wrote:
> So looking at tools like ngrep(), its pretty clear that most bypass theregex()
> library when matching binary patterns in binary buffers.
> ngrep() has the "-X" option to declare that the matching string is
> a hex number.
>
> Not sure why this is broken, but regex() may not be the correct library
> to use here? Does anyone have any understanding as to why regex()
> is the wrong way to go, when trying to match in binary buffers?
>
> Carter
>
>
> On Apr 15, 2009, at 11:18 AM, Carter Bullard wrote:
>
> Hey CS Lee,Hmmmmm, well I can't get grep() to match a binary file using
> the type
> of pattern you are using either, for that matter, I can't get egrep() to
> match a binary file using '-e "\x2C"', but I can get it to match using
> '-e ","' (match a ","). \x2C is the hexidecimal for comma.
>
> This is on my Mac OS X (leopard).
>
> So, I'm not sure what I'm suppose to think about that. What do you think?
>
> Carter
>
> On Apr 15, 2009, at 12:41 AM, CS Lee wrote:
>
> hi carter,
>
> I have reported this previously too, about the regex matching to grep the
> flow based on the user data bytes.
>
> it seems that if i want to search the flow based on hex codes -
>
> ra -nr argus.out -e "\x4d\x5a" doesn't seem to work, this is latest argus
> client.
>
> I'm testing out the patch now
>
>
> Cheers!
>
> --
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net
>
>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York 10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>
--
Best Regards,
CS Lee<geek00L[at]gmail.com>
http://geek00l.blogspot.com
http://defcraft.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090416/2563cf63/attachment.html>
More information about the argus
mailing list