ragrep newbie question ?

Carter Bullard carter at qosient.com
Mon Mar 15 11:27:25 EDT 2010


Hey Stephane,
Very cool!!!!  I have just now enabled the 'i' flag to turn on case-insensitive greps
and will upload that tonight, tomorrow night, with some other fixes.

I defined MAXSTRLEN to be 4K for the whole client system, to conform to
other systems maximum string size.  Is 4K too short do you think?

If there is any other thing you need changed, don't hesitate to holler!!!

Carter

On Mar 14, 2010, at 6:58 PM, Stéphane Peters wrote:

> Hello Carter,
> 
> could I do case insensitive searches with ra* clients ?
> Maybe the "-i" option of ragrep could be added in the next release ?
> 
> Meanwhile, let me share a command used to look for evidences of some virus / malware infection.
> It works pretty well without parenthesis; are they needed in this case ?
> The RE is split on several lines to permit a nice posting, it seems limited to 4096 bytes, about 200 site names.
>  #!/bin/bash
>  s="PPIHelper.com"
>  s="$s|solfire.aljosaborkovic.com"
>  s="$s|kukutrustnet777.info"
>  s="$s|www.kjwre.*fqwieluoi.info"
>  s="$s|l33t.brand-clothes.net"
>  s="$s|pica.banjalucke-ljepotice.ru"
>  s="$s|maellisromance.com"
>  s="$s|217.32.75.74"
>  s="$s|pingaksh.com"
>  s="$s|radio.irib.ir"
>  s="$s|regal-mont.pondi.hr"
>  s="$s|sandra.prichaonica.com"
>  s="$s|sasgrowth.com"
>  s="$s|snowboard619.w.interia.pl"
>  s="$s|spargeunid.go.ro"
>  s="$s|stakrix.st.funpic.de"
>  s="$s|us516757.bizhostnet.com"
>  s="$s|www.abassiehmunicipality.com"
>  s="$s|www.polaris.ge"
>  s="$s|www.railwayservices.be"
>  s="$s|www.senaauto.ge"
>  s="$s|ziyagokalpilkogretim72.meb.k12.tr"
>  ragrep -s "+suser:50 -bytes" -i -e "$s" $* - udp port 53
> Here an example of how it is used:
> ragrep-sality.sh -nr $file -w /tmp/sality-traces.ra
> 
> More details on the wiki site  :
> http://nsmwiki.org/Argus#ragrep_example:_Finding_Palevo_.2F_Sality_virus_activity
> 
> julien a écrit :
>> Hello,
>> 
>> I have a small problem with ragrep, that I recently begin to use
>> following this paper
>> http://www.rawpacket.org/anonymous/papers/Argus-PracticalBotNetDetection.pdf
>> 
>> When I launch the following request:
>> 
>> $ ragrep -z -i -e '(http|https|ftp|get|post|head)' -r $src_log - dst
>> port 80 or dst port 443 or dst port 8080
>> (same without filter)
>> 
>> I get nothing. $src_log is an argus file converted from a pcap (with argus)
>> In Ethereal, there is some http traffic and ragrep doesn't get it. why ?
>> bad command line, pcap conversion or something else ?
>> 
>> Thanks.
>> Best regards,
>> 
>> 	Julien
>> 
>>  
> Regards,
> 
> -- 
> Stephane.Peters at forem.be.
> 
> 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100315/7d7a5a21/attachment.bin>


More information about the argus mailing list