ragrep additions in argus-clients-3.0.3.4

Carter Bullard carter at qosient.com
Wed Mar 17 23:21:31 EDT 2010


Hey Guys,
I uploaded argus-clients-3.0.3.4 tonight, and ragrep() is back, looking
more like grep() than it ever has.  Man page included.

Thanks for the suggestions!!!!

I decided to go with not excluding records when using the -v option, based
on the idea that it would generate results that people would expect.  If there
are N records with M matches in the file, then the -v option should generate
(N - M) results.  Let's go this way until the next round of suggestions/opinions.

I've built in support to handle 1M byte expressions, and up to 16K separate
patterns, so that should handle most of the general stuff.  If you run into any
problems, say with big items in your regular expressions, please give a holler!!!!

Carter

On Mar 17, 2010, at 1:28 PM, Carter Bullard wrote:

> Hey Stéphane and John,
> I now have ragrep() working for many  of the options that grep supports.  It will
> take me a day to get it all down, but I've run into some things that I'd love
> some opinions on.
> 
> First I have given ragrep() a 1M grep buffer, so we can have big regular
> expressions.  I've added parsing from a file, and right now, I support
> one regular expression, on a single line (using conventional '\' at the end
> of the line to create long single lines).  I'll add support for multiple
> expressions in the file,  tonight.
> 
> I've added the -c. -i, -q, -v, -l and -L options that generate the same behavior
> as grep(), so we're getting somewhere (and I have a man page !!!).
> 
> The issue that I have is what should ragrep()s behavior be when using
> the -v option?  The -v option inverts the matching logic so it returns lines that do
> not match the regular expression.    Now, ragrep() only matches regular
> expressions from  the user data buffers in flow records.   How should we test
> records that don't have user data buffers?   Do they get included in the test,
> or should they be excluded?
> 
> So, lets say I have a file, /tmp/argus.file, with 100 argus records, where 80 have
> user data buffers.  Lets say that I search for the bad domains list below, that
> are specified in the bad.domains file,  and the result is that there are no matches.  
> 
> If I use the "-c" option, ragrep() will printout the same output as grep,  filename:count
> on a single line for every file that has matches.
> 
>   % ragrep -c -f bad.domains -r /tmp/*
>        /tmp/argus.file:0
> 
> Now if I invert the matching logic,  ragrep() could report on the inverse of the
> test, which means we would only try to match on records that have user data buffers.
> 
>   % ragrep -c -f bad.domains -v -f argus.file
>       argus.file:80
> 
> Is this reasonable, or should ragrep() report 100?
> I guess the question is, "if I'm looking for all the records that don't have 'whatever' in
> the user buffer", do records that don't have a user buffers match?
> 
> Carter



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100317/c94de7af/attachment.bin>


More information about the argus mailing list