argus client regex matching

Carter Bullard carter at qosient.com
Wed Apr 15 13:23:38 EDT 2009 

OK, so GNU grep() using the regex library does not match your pattern,  
but
GNU grep() using the PCRE library does match your pattern.   PCRE is the
Perl regular expression engine.

I find it strange that GNU grep() has these two different modes of  
operation.
If we are going to get this type of pattern matching support into the  
ra* programs,
we'll have to do something similar to GNU grep(), and have a switch to  
say
use this regular expression engine here, etc.....

This will take a little time to do.  Is CS the only one wanting binary  
pattern
matching for the user data?

Carter


On Apr 15, 2009, at 12:01 PM, CS Lee wrote:

> hi carter,
>
> Yeah, pcregrep is working, and i think ngrep is using pcre.
>
> I try echo 'M' | pcregrep "\x4d" and it works on linux/bsd/osx.
>
>
>
> On Wed, Apr 15, 2009 at 11:34 PM, Carter Bullard  
> <carter at qosient.com> wrote:
> So looking at tools like ngrep(), its pretty clear that most bypass  
> the
> regex() library when matching binary patterns in binary buffers.
> ngrep() has the "-X" option to declare that the matching string is
> a hex number.
>
> Not sure why this is broken, but regex() may not be the correct  
> library
> to use here?  Does anyone have any understanding as to why regex()
> is the wrong way to go, when trying to match in binary buffers?
>
> Carter
>
>
> On Apr 15, 2009, at 11:18 AM, Carter Bullard wrote:
>
>> Hey CS Lee,
>> Hmmmmm, well I can't get grep() to match a binary file using the type
>> of pattern you are using either, for that matter, I can't get  
>> egrep() to
>> match a binary file using '-e "\x2C"', but I can get it to match  
>> using
>> '-e ","' (match a ",").  \x2C is the  hexidecimal for comma.
>>
>> This is on my Mac OS X (leopard).
>>
>> So, I'm not sure what I'm suppose to think about that.  What do you  
>> think?
>>
>> Carter
>>
>> On Apr 15, 2009, at 12:41 AM, CS Lee wrote:
>>
>>> hi carter,
>>>
>>> I have reported this previously too, about the regex matching to  
>>> grep the flow based on the user data bytes.
>>>
>>> it seems that if i want to search the flow based on hex codes -
>>>
>>> ra -nr argus.out -e "\x4d\x5a" doesn't seem to work, this is  
>>> latest argus client.
>>>
>>> I'm testing out the patch now
>>>
>>>
>>> Cheers!
>>>
>>> -- 
>>> Best Regards,
>>>
>>> CS Lee<geek00L[at]gmail.com>
>>>
>>> http://geek00l.blogspot.com
>>> http://defcraft.net
>>
>
> Carter Bullard
> CEO/President
> QoSient, LLC
> 150 E 57th Street Suite 12D
> New York, New York  10022
>
> +1 212 588-9133 Phone
> +1 212 588-9134 Fax
>
>
>
>
>
>
> -- 
> Best Regards,
>
> CS Lee<geek00L[at]gmail.com>
>
> http://geek00l.blogspot.com
> http://defcraft.net

Carter Bullard
CEO/President
QoSient, LLC
150 E 57th Street Suite 12D
New York, New York  10022

+1 212 588-9133 Phone
+1 212 588-9134 Fax



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20090415/fdb6f7d2/attachment.html>

More information about the argus mailing list