Feature request: grep hex strings with -e

Carter Bullard carter at qosient.com
Wed Oct 31 12:54:53 EDT 2012


Hey Dave,
Finishing up the pcre configure.ac support.
You are saying that you are using -lpcre and -lpcreposix ?
On my systems, the pcre-config() routine is returning:

   -L/opt/local/lib -lpcre

Is this going to get the support you need ? What does your
" pcre-config --libs "  return?

Carter

On Oct 14, 2012, at 1:35 PM, Dave Edelman <dedelman at iname.com> wrote:

> I've just sent the files to Carter so the list is the place to discuss the
> details.
> 
> --Dave
> 
>> -----Original Message-----
>> From: Dave Edelman [mailto:dedelman at iname.com]
>> Sent: Sunday, October 14, 2012 12:30 PM
>> To: 'argus-info at lists.andrew.cmu.edu'
>> Subject: RE: [ARGUS] Feature request: grep hex strings with -e
>> 
>> Looking at the things that I would want to do with regular expression
>> matching, I came up with this list:
>> 
>> 1 - The ability to create multiple search patterns each of which has its
> own
>> scope and case-sensitivity attributes
>> 2 - The ability to select a flow instance based on the "or" of the
> searches (any
>> one is sufficient) or based on the 'and' of the searches (all are
> required)
>> 3 - A set of search scopes beyond source, destination, or both
>> 
>> I have a working implementation that allows up to 32 search patterns. For
> my
>> testing, I hijacked the -v option; if it is set, then a match on any
> string in the
>> set is sufficient, otherwise they all need to match. I would need
> something
>> other than -v in a real version and I am open to suggestions.
>> 
>> For scope and case sensitivity I expanded the current set to:
>> e: either source or destination or both E: makes it case insensitive  (e:
> is the
>> default)
>> d: only in the destination buffer D: makes it case insensitive
>> s: only in the source buffer S: makes it case insensitive
>> n: not in either source or destination buffer N: makes it case insensitive
>> b: in both source and destination buffer B: makes it case insensitive
>> x: in either source or destination buffer but not both X: makes it case
>> insensitive
>> 
>> An example might be to look for HTTP GET requests that did not return a
> 200
>> OK response.
>> % ra -r * -s +suser:50 +duser:50 -e 's:^GET .*HTTP/1.[0|1].*Host: ' -e
>> 'D:^http/1.[0|1] (?!200)' - port 80
>> 
>> Sat 2012-10-13 22:23:16.440989  e                   tcp Mws
>> 10.1.1.31.zabbix-trapper          ->       143.127.2.49.http
> 10
>> 1519  FIN
>>  s[50]=GET /update4?r=updates_file&ln=DU619XD0GTM1W1ZEPUK
>> d[50]=HTTP/1.1 503 Service Temporarily Unavailable..Date
>> 
>> Or looking for a DNS request / response interaction where "google" shows
> up
>> in either the source or the destination buffer, but not both.
>> % ra -M printer='hex' -r * -s +suser:100 +duser:100 -e 'x:google' - port
> 53
>> 
>> Sat 2012-10-13 23:51:16.689215  eU                  udp
>> 10.1.1.31.49485                  <->          10.1.1.68.domain
> 2        283
>> CON
>> 
>>      0x0000     0cd9 0100 0001 0000 0000 0000 0370 6f70
> .............pop
>>      0x0010     0567 6d61 696c 0363 6f6d 0000 0100 01
> .gmail.com.....
>> 
>>      0x0000     0cd9 8180 0001 0003 0004 0000 0370 6f70
> .............pop
>>      0x0010     0567 6d61 696c 0363 6f6d 0000 0100 01c0
> .gmail.com......
>>      0x0020     0c00 0500 0100 0000 0900 1509 676d 6169
> ............gmai
>>      0x0030     6c2d 706f 7001 6c06 676f 6f67 6c65 c016
> l-pop.l.google..
>>      0x0040     c02b 0001 0001 0000 012c 0004 adc2 4c6c
> .+.......,....Ll
>>      0x0050     c02b 0001 0001 0000 012c 0004 adc2 4c6d
> .+.......,....Lm
>>      0x0060     c037 0002                                      .7..
>> 
>> Is this useful? Are there additional scopes that you would need?
>> 
>> --Dave
>> 
>> 
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121031/85ddc525/attachment.bin>


More information about the argus mailing list