ragrep newbie question ?

John Kennedy wilson.amajohn at gmail.com
Mon Mar 15 14:02:47 EDT 2010


How many OR'd names until a seg fault occurs?  A program similar to
rafilteraddr.pl would come in handy for domain names

There are thousands if not millions of malicious domains and auditing for
these gets a little interesting at times.  Building and maintaining rules
for outbreaks in an IDS can get quite cumbersome. I think using a tool
similar to rafilteraddr.pl would help keep a list concise and could be fast
enough for integration into other avenues.

I am just curious if others audit for known malicious domains in
their environment?  Is it even worth the trouble?

John

On Sun, Mar 14, 2010 at 4:58 PM, Stéphane Peters
<stephane.peters at forem.be>wrote:

> Hello Carter,
>
> could I do case insensitive searches with ra* clients ?
> Maybe the "-i" option of ragrep could be added in the next release ?
>
> Meanwhile, let me share a command used to look for evidences of some virus
> / malware infection.
> It works pretty well without parenthesis; are they needed in this case ?
> The RE is split on several lines to permit a nice posting, it seems limited
> to 4096 bytes, about 200 site names.
>  #!/bin/bash
>  s="PPIHelper.com"
>  s="$s|solfire.aljosaborkovic.com"
>  s="$s|kukutrustnet777.info"
>  s="$s|www.kjwre.*fqwieluoi.info"
>  s="$s|l33t.brand-clothes.net"
>  s="$s|pica.banjalucke-ljepotice.ru"
>  s="$s|maellisromance.com"
>  s="$s|217.32.75.74"
>  s="$s|pingaksh.com"
>  s="$s|radio.irib.ir"
>  s="$s|regal-mont.pondi.hr"
>  s="$s|sandra.prichaonica.com"
>  s="$s|sasgrowth.com"
>  s="$s|snowboard619.w.interia.pl"
>  s="$s|spargeunid.go.ro"
>  s="$s|stakrix.st.funpic.de"
>  s="$s|us516757.bizhostnet.com"
>  s="$s|www.abassiehmunicipality.com"
>  s="$s|www.polaris.ge"
>  s="$s|www.railwayservices.be"
>  s="$s|www.senaauto.ge"
>  s="$s|ziyagokalpilkogretim72.meb.k12.tr"
>  ragrep -s "+suser:50 -bytes" -i -e "$s" $* - udp port 53
> Here an example of how it is used:
> ragrep-sality.sh -nr $file -w /tmp/sality-traces.ra
>
> More details on the wiki site  :
>
> http://nsmwiki.org/Argus#ragrep_example:_Finding_Palevo_.2F_Sality_virus_activity
>
> julien a écrit :
>
>  Hello,
>>
>> I have a small problem with ragrep, that I recently begin to use
>> following this paper
>>
>> http://www.rawpacket.org/anonymous/papers/Argus-PracticalBotNetDetection.pdf
>>
>> When I launch the following request:
>>
>> $ ragrep -z -i -e '(http|https|ftp|get|post|head)' -r $src_log - dst
>> port 80 or dst port 443 or dst port 8080
>> (same without filter)
>>
>> I get nothing. $src_log is an argus file converted from a pcap (with
>> argus)
>> In Ethereal, there is some http traffic and ragrep doesn't get it. why ?
>> bad command line, pcap conversion or something else ?
>>
>> Thanks.
>> Best regards,
>>
>>        Julien
>>
>>
>>
> Regards,
>
> --
> Stephane.Peters at forem.be.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100315/88ea03d0/attachment.html>


More information about the argus mailing list