Feature request: grep hex strings with -e

Dave Edelman dedelman at iname.com
Sun Oct 14 12:29:49 EDT 2012 

Looking at the things that I would want to do with regular expression
matching, I came up with this list:

1 - The ability to create multiple search patterns each of which has its own
scope and case-sensitivity attributes
2 - The ability to select a flow instance based on the "or" of the searches
(any one is sufficient) or based on the 'and' of the searches (all are
required)
3 - A set of search scopes beyond source, destination, or both

I have a working implementation that allows up to 32 search patterns. For my
testing, I hijacked the -v option; if it is set, then a match on any string
in the set is sufficient, otherwise they all need to match. I would need
something other than -v in a real version and I am open to suggestions.

For scope and case sensitivity I expanded the current set to:
e: either source or destination or both E: makes it case insensitive  (e: is
the default)
d: only in the destination buffer D: makes it case insensitive
s: only in the source buffer S: makes it case insensitive
n: not in either source or destination buffer N: makes it case insensitive
b: in both source and destination buffer B: makes it case insensitive
x: in either source or destination buffer but not both X: makes it case
insensitive

An example might be to look for HTTP GET requests that did not return a 200
OK response.
% ra -r * -s +suser:50 +duser:50 -e 's:^GET .*HTTP/1.[0|1].*Host: ' -e
'D:^http/1.[0|1] (?!200)' - port 80

Sat 2012-10-13 22:23:16.440989  e                   tcp Mws
10.1.1.31.zabbix-trapper          ->       143.127.2.49.http
10       1519  FIN
  s[50]=GET /update4?r=updates_file&ln=DU619XD0GTM1W1ZEPUK    d[50]=HTTP/1.1
503 Service Temporarily Unavailable..Date

Or looking for a DNS request / response interaction where "google" shows up
in either the source or the destination buffer, but not both.
% ra -M printer='hex' -r * -s +suser:100 +duser:100 -e 'x:google' - port 53

Sat 2012-10-13 23:51:16.689215  eU                  udp
10.1.1.31.49485                  <->          10.1.1.68.domain
2        283  CON
 
      0x0000     0cd9 0100 0001 0000 0000 0000 0370 6f70
.............pop
      0x0010     0567 6d61 696c 0363 6f6d 0000 0100 01
.gmail.com.....

      0x0000     0cd9 8180 0001 0003 0004 0000 0370 6f70
.............pop
      0x0010     0567 6d61 696c 0363 6f6d 0000 0100 01c0
.gmail.com......
      0x0020     0c00 0500 0100 0000 0900 1509 676d 6169
............gmai
      0x0030     6c2d 706f 7001 6c06 676f 6f67 6c65 c016
l-pop.l.google..
      0x0040     c02b 0001 0001 0000 012c 0004 adc2 4c6c
.+.......,....Ll
      0x0050     c02b 0001 0001 0000 012c 0004 adc2 4c6d
.+.......,....Lm
      0x0060     c037 0002                                      .7..

Is this useful? Are there additional scopes that you would need?

--Dave

More information about the argus mailing list