Feature request: grep hex strings with -e
Carter Bullard
carter at qosient.com
Wed Oct 31 12:54:53 EDT 2012
Hey Dave,
Finishing up the pcre configure.ac support.
You are saying that you are using -lpcre and -lpcreposix ?
On my systems, the pcre-config() routine is returning:
-L/opt/local/lib -lpcre
Is this going to get the support you need ? What does your
" pcre-config --libs " return?
Carter
On Oct 14, 2012, at 1:35 PM, Dave Edelman <dedelman at iname.com> wrote:
> I've just sent the files to Carter so the list is the place to discuss the
> details.
>
> --Dave
>
>> -----Original Message-----
>> From: Dave Edelman [mailto:dedelman at iname.com]
>> Sent: Sunday, October 14, 2012 12:30 PM
>> To: 'argus-info at lists.andrew.cmu.edu'
>> Subject: RE: [ARGUS] Feature request: grep hex strings with -e
>>
>> Looking at the things that I would want to do with regular expression
>> matching, I came up with this list:
>>
>> 1 - The ability to create multiple search patterns each of which has its
> own
>> scope and case-sensitivity attributes
>> 2 - The ability to select a flow instance based on the "or" of the
> searches (any
>> one is sufficient) or based on the 'and' of the searches (all are
> required)
>> 3 - A set of search scopes beyond source, destination, or both
>>
>> I have a working implementation that allows up to 32 search patterns. For
> my
>> testing, I hijacked the -v option; if it is set, then a match on any
> string in the
>> set is sufficient, otherwise they all need to match. I would need
> something
>> other than -v in a real version and I am open to suggestions.
>>
>> For scope and case sensitivity I expanded the current set to:
>> e: either source or destination or both E: makes it case insensitive (e:
> is the
>> default)
>> d: only in the destination buffer D: makes it case insensitive
>> s: only in the source buffer S: makes it case insensitive
>> n: not in either source or destination buffer N: makes it case insensitive
>> b: in both source and destination buffer B: makes it case insensitive
>> x: in either source or destination buffer but not both X: makes it case
>> insensitive
>>
>> An example might be to look for HTTP GET requests that did not return a
> 200
>> OK response.
>> % ra -r * -s +suser:50 +duser:50 -e 's:^GET .*HTTP/1.[0|1].*Host: ' -e
>> 'D:^http/1.[0|1] (?!200)' - port 80
>>
>> Sat 2012-10-13 22:23:16.440989 e tcp Mws
>> 10.1.1.31.zabbix-trapper -> 143.127.2.49.http
> 10
>> 1519 FIN
>> s[50]=GET /update4?r=updates_file&ln=DU619XD0GTM1W1ZEPUK
>> d[50]=HTTP/1.1 503 Service Temporarily Unavailable..Date
>>
>> Or looking for a DNS request / response interaction where "google" shows
> up
>> in either the source or the destination buffer, but not both.
>> % ra -M printer='hex' -r * -s +suser:100 +duser:100 -e 'x:google' - port
> 53
>>
>> Sat 2012-10-13 23:51:16.689215 eU udp
>> 10.1.1.31.49485 <-> 10.1.1.68.domain
> 2 283
>> CON
>>
>> 0x0000 0cd9 0100 0001 0000 0000 0000 0370 6f70
> .............pop
>> 0x0010 0567 6d61 696c 0363 6f6d 0000 0100 01
> .gmail.com.....
>>
>> 0x0000 0cd9 8180 0001 0003 0004 0000 0370 6f70
> .............pop
>> 0x0010 0567 6d61 696c 0363 6f6d 0000 0100 01c0
> .gmail.com......
>> 0x0020 0c00 0500 0100 0000 0900 1509 676d 6169
> ............gmai
>> 0x0030 6c2d 706f 7001 6c06 676f 6f67 6c65 c016
> l-pop.l.google..
>> 0x0040 c02b 0001 0001 0000 012c 0004 adc2 4c6c
> .+.......,....Ll
>> 0x0050 c02b 0001 0001 0000 012c 0004 adc2 4c6d
> .+.......,....Lm
>> 0x0060 c037 0002 .7..
>>
>> Is this useful? Are there additional scopes that you would need?
>>
>> --Dave
>>
>>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121031/85ddc525/attachment.bin>
More information about the argus
mailing list