Feature request: grep hex strings with -e

Dave Edelman dedelman at iname.com
Sun Oct 14 13:35:09 EDT 2012 

I've just sent the files to Carter so the list is the place to discuss the
details.

--Dave

> -----Original Message-----
> From: Dave Edelman [mailto:dedelman at iname.com]
> Sent: Sunday, October 14, 2012 12:30 PM
> To: 'argus-info at lists.andrew.cmu.edu'
> Subject: RE: [ARGUS] Feature request: grep hex strings with -e
> 
> Looking at the things that I would want to do with regular expression
> matching, I came up with this list:
> 
> 1 - The ability to create multiple search patterns each of which has its
own
> scope and case-sensitivity attributes
> 2 - The ability to select a flow instance based on the "or" of the
searches (any
> one is sufficient) or based on the 'and' of the searches (all are
required)
> 3 - A set of search scopes beyond source, destination, or both
> 
> I have a working implementation that allows up to 32 search patterns. For
my
> testing, I hijacked the -v option; if it is set, then a match on any
string in the
> set is sufficient, otherwise they all need to match. I would need
something
> other than -v in a real version and I am open to suggestions.
> 
> For scope and case sensitivity I expanded the current set to:
> e: either source or destination or both E: makes it case insensitive  (e:
is the
> default)
> d: only in the destination buffer D: makes it case insensitive
> s: only in the source buffer S: makes it case insensitive
> n: not in either source or destination buffer N: makes it case insensitive
> b: in both source and destination buffer B: makes it case insensitive
> x: in either source or destination buffer but not both X: makes it case
> insensitive
> 
> An example might be to look for HTTP GET requests that did not return a
200
> OK response.
> % ra -r * -s +suser:50 +duser:50 -e 's:^GET .*HTTP/1.[0|1].*Host: ' -e
> 'D:^http/1.[0|1] (?!200)' - port 80
> 
> Sat 2012-10-13 22:23:16.440989  e                   tcp Mws
> 10.1.1.31.zabbix-trapper          ->       143.127.2.49.http
10
> 1519  FIN
>   s[50]=GET /update4?r=updates_file&ln=DU619XD0GTM1W1ZEPUK
> d[50]=HTTP/1.1 503 Service Temporarily Unavailable..Date
> 
> Or looking for a DNS request / response interaction where "google" shows
up
> in either the source or the destination buffer, but not both.
> % ra -M printer='hex' -r * -s +suser:100 +duser:100 -e 'x:google' - port
53
> 
> Sat 2012-10-13 23:51:16.689215  eU                  udp
> 10.1.1.31.49485                  <->          10.1.1.68.domain
2        283
> CON
> 
>       0x0000     0cd9 0100 0001 0000 0000 0000 0370 6f70
.............pop
>       0x0010     0567 6d61 696c 0363 6f6d 0000 0100 01
.gmail.com.....
> 
>       0x0000     0cd9 8180 0001 0003 0004 0000 0370 6f70
.............pop
>       0x0010     0567 6d61 696c 0363 6f6d 0000 0100 01c0
.gmail.com......
>       0x0020     0c00 0500 0100 0000 0900 1509 676d 6169
............gmai
>       0x0030     6c2d 706f 7001 6c06 676f 6f67 6c65 c016
l-pop.l.google..
>       0x0040     c02b 0001 0001 0000 012c 0004 adc2 4c6c
.+.......,....Ll
>       0x0050     c02b 0001 0001 0000 012c 0004 adc2 4c6d
.+.......,....Lm
>       0x0060     c037 0002                                      .7..
> 
> Is this useful? Are there additional scopes that you would need?
> 
> --Dave
> 
>

More information about the argus mailing list