Feature request: grep hex strings with -e

Carter Bullard carter at qosient.com
Wed Oct 31 16:24:25 EDT 2012


Hey Dave,
Here is a version of argus-clients-3.0.7.4 that has the autotool's support
for using pcre.  Could you give it a test run before I announce it ?

Carter

-------------- next part --------------
A non-text attachment was scrubbed...
Name: argus-clients-3.0.7.4.tar.gz
Type: application/x-gzip
Size: 2501648 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121031/073adb7e/attachment.bin>
-------------- next part --------------


On Oct 31, 2012, at 12:54 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Dave,
> Finishing up the pcre configure.ac support.
> You are saying that you are using -lpcre and -lpcreposix ?
> On my systems, the pcre-config() routine is returning:
> 
>   -L/opt/local/lib -lpcre
> 
> Is this going to get the support you need ? What does your
> " pcre-config --libs "  return?
> 
> Carter
> 
> On Oct 14, 2012, at 1:35 PM, Dave Edelman <dedelman at iname.com> wrote:
> 
>> I've just sent the files to Carter so the list is the place to discuss the
>> details.
>> 
>> --Dave
>> 
>>> -----Original Message-----
>>> From: Dave Edelman [mailto:dedelman at iname.com]
>>> Sent: Sunday, October 14, 2012 12:30 PM
>>> To: 'argus-info at lists.andrew.cmu.edu'
>>> Subject: RE: [ARGUS] Feature request: grep hex strings with -e
>>> 
>>> Looking at the things that I would want to do with regular expression
>>> matching, I came up with this list:
>>> 
>>> 1 - The ability to create multiple search patterns each of which has its
>> own
>>> scope and case-sensitivity attributes
>>> 2 - The ability to select a flow instance based on the "or" of the
>> searches (any
>>> one is sufficient) or based on the 'and' of the searches (all are
>> required)
>>> 3 - A set of search scopes beyond source, destination, or both
>>> 
>>> I have a working implementation that allows up to 32 search patterns. For
>> my
>>> testing, I hijacked the -v option; if it is set, then a match on any
>> string in the
>>> set is sufficient, otherwise they all need to match. I would need
>> something
>>> other than -v in a real version and I am open to suggestions.
>>> 
>>> For scope and case sensitivity I expanded the current set to:
>>> e: either source or destination or both E: makes it case insensitive  (e:
>> is the
>>> default)
>>> d: only in the destination buffer D: makes it case insensitive
>>> s: only in the source buffer S: makes it case insensitive
>>> n: not in either source or destination buffer N: makes it case insensitive
>>> b: in both source and destination buffer B: makes it case insensitive
>>> x: in either source or destination buffer but not both X: makes it case
>>> insensitive
>>> 
>>> An example might be to look for HTTP GET requests that did not return a
>> 200
>>> OK response.
>>> % ra -r * -s +suser:50 +duser:50 -e 's:^GET .*HTTP/1.[0|1].*Host: ' -e
>>> 'D:^http/1.[0|1] (?!200)' - port 80
>>> 
>>> Sat 2012-10-13 22:23:16.440989  e                   tcp Mws
>>> 10.1.1.31.zabbix-trapper          ->       143.127.2.49.http
>> 10
>>> 1519  FIN
>>> s[50]=GET /update4?r=updates_file&ln=DU619XD0GTM1W1ZEPUK
>>> d[50]=HTTP/1.1 503 Service Temporarily Unavailable..Date
>>> 
>>> Or looking for a DNS request / response interaction where "google" shows
>> up
>>> in either the source or the destination buffer, but not both.
>>> % ra -M printer='hex' -r * -s +suser:100 +duser:100 -e 'x:google' - port
>> 53
>>> 
>>> Sat 2012-10-13 23:51:16.689215  eU                  udp
>>> 10.1.1.31.49485                  <->          10.1.1.68.domain
>> 2        283
>>> CON
>>> 
>>>     0x0000     0cd9 0100 0001 0000 0000 0000 0370 6f70
>> .............pop
>>>     0x0010     0567 6d61 696c 0363 6f6d 0000 0100 01
>> .gmail.com.....
>>> 
>>>     0x0000     0cd9 8180 0001 0003 0004 0000 0370 6f70
>> .............pop
>>>     0x0010     0567 6d61 696c 0363 6f6d 0000 0100 01c0
>> .gmail.com......
>>>     0x0020     0c00 0500 0100 0000 0900 1509 676d 6169
>> ............gmai
>>>     0x0030     6c2d 706f 7001 6c06 676f 6f67 6c65 c016
>> l-pop.l.google..
>>>     0x0040     c02b 0001 0001 0000 012c 0004 adc2 4c6c
>> .+.......,....Ll
>>>     0x0050     c02b 0001 0001 0000 012c 0004 adc2 4c6d
>> .+.......,....Lm
>>>     0x0060     c037 0002                                      .7..
>>> 
>>> Is this useful? Are there additional scopes that you would need?
>>> 
>>> --Dave
>>> 
>>> 
>> 
>> 
>> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2589 bytes
Desc: not available
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20121031/073adb7e/attachment-0001.bin>


More information about the argus mailing list