Thanks [Re: ragrep newbie question ?
Carter Bullard
carter at qosient.com
Fri Mar 26 09:58:56 EDT 2010
Hey Stéphane,
I just uploaded argus-clients-3.0.3.5.tar.gz to the developers web page.
http://qosient.com/argus/dev/argus-clients-3.0.3.5.tar.gz
It has all the changes to ragrep() that you suggested in your email.
Carter
>
> Carter Bullard a écrit :
>>
>> Hey Stéphane,
>> I fixed the -v option and updated the usage(). Added the 'H' and 'h' options to
>> control filename printing on output. I'll upload a new clients tomorrow that should
>> have all these fixes.
>>
>> If you run any ra* program without any data source specified in the .rarc or on the
>> commandline, they will all block reading for input on stdin. So that's the correct behavior.
>>
>> To deal with the collisions of options, I'd suggest that we pipe the output to ra(). While
>> that may not be 100% of what you want, it is the easiest for getting similarity to grep()
>> and its options, and still providing all the ra() functions.
>>
>> ragrep -r file -e 'whatever' -w - | ra -L 24
>>
>> The 'e' option was changed for all ra* programs in 3.0.x. The encoding option is now done
>> with a "-M encode" option.
>>
>> Hope all is most excellent,
>>
>> Carter
>> On Mar 24, 2010, at 11:31 AM, Stéphane Peters wrote:
>>> Hey Carter,
>>>
>>> sorry for having left you without any news for such a long time !
>>> Thank you for your fast suggestion of ragrep with the -f option!
>>> Just one thing, the -v option shows an odd behavior, more on that later.
>>>
>>> As usual, argus was the tool of choice in this case:
>>> it was able to show traces of infections,
>>> both in real time and in past data several weeks (and even months) before,
>>> thanks to the data reduction obtained by the flows records.
>>>
>>> I must say that I still haven't attained the first limit of about 200 patterns inline with the direct RE,
>>> but I like your idea of a large buffer.
>>>
>>> With a space of 16K patterns, and the "-v" option, my work can be reversed :
>>> I am building a white list of accepted/known good DNS names to narrow the search for virus evidences.
>>> Let's see if it is manageable...
>>>
>>> Here are some suggestions about ragrep:
>>> - the filename is appearing on stdout when reading a single file; how could it be controlled (hidden)?
>>> perhaps with the "-s +filename" option?
>>> - the -L option seems conflicting with "-L0"; how could I show the titles ?
>>> perhaps could we choose +l / -l to control the printing of the filename ?
>>> - the usage text doesn't talk about -f / -l / -L / -i options,
>>> and shows "Ratemplate Version 3.0.3.4"
>>> - the -e option is conflicting between expression and encoding,
>>> I haven't used it before but, who knows ?
>>> - the -v option seems inactive, here are some attempts,
>>> comparing ragrep(3.0.0.rc.70) with ragrep(3.0.3.4):
>>>
>>> the -v option is parsed in the new version
[snip] ......
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3815 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20100326/7d177e4d/attachment.bin>
More information about the argus
mailing list