argus client regex matching

Carter Bullard carter at qosient.com
Wed Apr 15 12:37:23 EDT 2009 

Just for correctness, ngrep() doesn't use pcregrep at all when
doing binary string matching.  It's really doing a straight
buffer to buffer comparison, memcmp(), so the binary field
matching is not based on regular expressions at all.

Carter

On Apr 15, 2009, at 12:01 PM, CS Lee wrote:

> hi carter,
>
> Yeah, pcregrep is working, and i think ngrep is using pcre.
>
> I try echo 'M' | pcregrep "\x4d" and it works on linux/bsd/osx.
>
>
>
> On Wed, Apr 15, 2009 at 11:34 PM, Carter Bullard  
> <carter at qosient.com> wrote:
> So looking at tools like ngrep(), its pretty clear that most bypass  
> the
> regex() library when matching binary patterns in binary buffers.
> ngrep() has the "-X" option to declare that the matching string is
> a hex number.
>
> Not sure why this is broken, but regex() may not be the correct  
> library
> to use here?  Does anyone have any understanding as to why regex()
> is the wrong way to go, when trying to match in binary buffers?
>
> Carter
>
>
> On Apr 15, 2009, at 11:18 AM, Carter Bullard wrote:
>
>> Hey CS Lee,
>> Hmmmmm, well I can't get grep() to match a binary file using the type
>> of pattern you are using either, for that matter, I can't get  
>> egrep() to
>> match a binary file using '-e "\x2C"', but I can get it to match  
>> using
>> '-e ","' (match a ",").  \x2C is the  hexidecimal for comma.
>>
>> This is on my Mac OS X (leopard).
>>
>> So, I'm not sure what I'm suppose to think about that.  What do you  
>> think?
>>
>> Carter
>>
>> On Apr 15, 2009, at 12:41 AM, CS Lee wrote:
>>
>>> hi carter,
>>>
>>> I have reported this previously too, about the regex matching to  
>>> grep the flow based on the user data bytes.
>>>
>>> it seems that if i want to search the flow based on hex codes -
>>>
>>> ra -nr argus.out -e "\x4d\x5a" doesn't seem to work, this is  
>>> latest argus client.
>>>
>>> I'm testing out the patch now
>>>
>>>
>>> Cheers!
>>>
>>> -- 
>>> Best Regards,
>>>
>>> CS Lee<geek00L[at]gmail.com>
>>>
>>> http://geek00l.blogspot.com
>>> http://defcraft.net
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>
>
>
> -- 
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090415/797cc623/attachment.html>

More information about the argus mailing list