ragrep newbie question ?

Stéphane Peters stephane.peters at forem.be
Sun Mar 14 18:58:43 EDT 2010 

Hello Carter,

could I do case insensitive searches with ra* clients ?
Maybe the "-i" option of ragrep could be added in the next release ?

Meanwhile, let me share a command used to look for evidences of some 
virus / malware infection.
It works pretty well without parenthesis; are they needed in this case ?
The RE is split on several lines to permit a nice posting, it seems 
limited to 4096 bytes, about 200 site names.
   #!/bin/bash
   s="PPIHelper.com"
   s="$s|solfire.aljosaborkovic.com"
   s="$s|kukutrustnet777.info"
   s="$s|www.kjwre.*fqwieluoi.info"
   s="$s|l33t.brand-clothes.net"
   s="$s|pica.banjalucke-ljepotice.ru"
   s="$s|maellisromance.com"
   s="$s|217.32.75.74"
   s="$s|pingaksh.com"
   s="$s|radio.irib.ir"
   s="$s|regal-mont.pondi.hr"
   s="$s|sandra.prichaonica.com"
   s="$s|sasgrowth.com"
   s="$s|snowboard619.w.interia.pl"
   s="$s|spargeunid.go.ro"
   s="$s|stakrix.st.funpic.de"
   s="$s|us516757.bizhostnet.com"
   s="$s|www.abassiehmunicipality.com"
   s="$s|www.polaris.ge"
   s="$s|www.railwayservices.be"
   s="$s|www.senaauto.ge"
   s="$s|ziyagokalpilkogretim72.meb.k12.tr"
   ragrep -s "+suser:50 -bytes" -i -e "$s" $* - udp port 53
Here an example of how it is used:
 ragrep-sality.sh -nr $file -w /tmp/sality-traces.ra

More details on the wiki site  :
  
http://nsmwiki.org/Argus#ragrep_example:_Finding_Palevo_.2F_Sality_virus_activity

julien a écrit :
> Hello,
>
> I have a small problem with ragrep, that I recently begin to use
> following this paper
> http://www.rawpacket.org/anonymous/papers/Argus-PracticalBotNetDetection.pdf
>
> When I launch the following request:
>
> $ ragrep -z -i -e '(http|https|ftp|get|post|head)' -r $src_log - dst
> port 80 or dst port 443 or dst port 8080
> (same without filter)
>
> I get nothing. $src_log is an argus file converted from a pcap (with argus)
> In Ethereal, there is some http traffic and ragrep doesn't get it. why ?
> bad command line, pcap conversion or something else ?
>
> Thanks.
> Best regards,
>
> 	Julien
>
>   
Regards,

-- 
Stephane.Peters at forem.be.

More information about the argus mailing list