Ratop question
Carter Bullard
carter at qosient.com
Wed Nov 5 22:10:41 EST 2014
Yes, all of that is a part of greping the concatenated user data fields, but its also an issue with greping the labels.
‘ -M label=“labelMatchingRegExpression” ‘
It would seem logical to have any ‘gotchas’ documented in ragrep.1, and then reference
that for the ‘ -e <regex> ‘ option in ra.1 ???
Because you can link with the PCRE regular expression library, and get different behavior, its possible that we can have a different “-h” output, as that can be determined at compile time.
Not necessarily easy to get a different man page installed ????
Carter
> On Nov 5, 2014, at 9:56 PM, David Edelman <dedelman at iname.com> wrote:
>
> There are a few things that you need to consider -
> Since Argus deals with flows rather than packets, the regular expression is applied to the user data associated with the entire flow record. You set the number of bytes of user data that is retained and if that quantity is large enough, you might have several sets of http requests and responses lumped together. If there are GET requests mixed in with the POST requests then you may not see the flows you are looking for. In addition you should be very careful about using anchored searches since the pattern may not be is the first position in the buffer.
> The second thing to consider is that if you only show 100 bytes of the suser field, and the capture size is greater than 100 bytes, then you may see flows that match the regular expression but that don't obviously display the pattern that was matched.
>
> --Dave
>
>
>
> -----Original Message-----
> From: argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu [mailto:argus-info-bounces+dedelman=iname.com at lists.andrew.cmu.edu] On Behalf Of elof2 at sentor.se
> Sent: Wednesday, November 05, 2014 11:18 AM
> To: Carter Bullard
> Cc: Argus
> Subject: Re: [ARGUS] Ratop question
>
>
> Hi Carter!
>
> For starters, it would be nice if "-v" was mentioned in the ra(1) manual.
> I didn't find it, so I created the [^G][^E][^T] regex instead...
>
> /Elof
>
>
> On Wed, 5 Nov 2014, Carter Bullard wrote:
>
>> Hey Guys,
>> There is another twist, of this idea, but it maybe a feature problem for ratop.1.
>>
>> All the ra* clients support using the -v flag to negate a -e grep expression, just like grep.
>>
>> Unfortunately the -v option reverses both the sort order and the regex operation
>> in ratop.1. This is case of having too many operators, and wanting to use -v,
>> like many unix commands, to reverse the logic. sort.1 and grep.1 both use
>> -v to negate actions, and rasort.1 and regrep.1 also use -v.
>>
>> Because ratop.1 incorporates the functions of rasort and ragrep, we
>> ‘ inherit ‘ the actions of the -v.
>>
>> So, use the " -e regex -v “ options to read, an input file, and then when it
>> displays the results, use the “ -v “ to get the sort order correct.
>>
>> Not sure how to correct this, may have to make some changes to .rarc to
>> clarify the -v function ???
>>
>> Carter
>>
>>> On Nov 5, 2014, at 10:28 AM, elof2 at sentor.se wrote:
>>>
>>>
>>> ... | grep -v "GET "
>>>
>>> or
>>>
>>> -e "s:[^G][^E][^T]"
>>>
>>> /Elof
>>>
>>> On Wed, 5 Nov 2014, Monah Baki wrote:
>>>
>>>> Can I use the negate operator saying I want to see everything except "GET"?
>>>>
>>>>
>>>> Thanks
>>>>
>>>> On Wed, Nov 5, 2014 at 10:08 AM, David Edelman <dedelman at iname.com> wrote:
>>>>
>>>>> You get PCRE by adding
>>>>> --with-libpcre to the ./configure when you build the clients
>>>>>
>>>>>
>>>>>
>>>>> Dave Edelman
>>>>>
>>>>>
>>>>>> On Nov 5, 2014, at 09:31, elof2 at sentor.se wrote:
>>>>>>
>>>>>>
>>>>>> Hi Monah
>>>>>>
>>>>>> either just pipe it to | grep POST or see the ra manual
>>>>>>
>>>>>> -e <regex>
>>>>>> Match regular expression in flow user data fields.
>>>>> Prepend the
>>>>>> regex with either "s:" or "d:" to limit the match to either
>>>>> the
>>>>>> source or destination user data fields. At this time null
>>>>> bytes in
>>>>>> the user data buffer terminate search. Examples include:
>>>>>> "^SSH-" - Look for ssh connections on any port.
>>>>>> "s:^GET" - Look for HTTP GET requests in the
>>>>> source buffer.
>>>>>> "d:^HTTP.*Unauth" - Find unauthorized http response.
>>>>>>
>>>>>> Depending on the regular expression library that the system
>>>>> sup-
>>>>>> ports, you will be able to match many types of binary,
>>>>> octal and
>>>>>> hex expressions. See regex.3, pcre.3 and the web for examples.
>>>>>>
>>>>>> so I guess
>>>>>> -e "s:^POST "
>>>>>> is what you're looking for.
>>>>>>
>>>>>> /Elof
>>>>>>
>>>>>>
>>>>>>> On Tue, 4 Nov 2014, Monah Baki wrote:
>>>>>>>
>>>>>>> Hi all,
>>>>>>>
>>>>>>> Running the following command:
>>>>>>>
>>>>>>> ratop -S localhost:561 -s stime proto saddr sport sco daddr dport dco
>>>>> trans
>>>>>>> sload psize suser:100
>>>>>>>
>>>>>>>
>>>>>>> In my suser, I am seeing a lot of "GET", is there a way to tell ratop to
>>>>>>> display POSTS instead of GET.
>>>>>>>
>>>>>>>
>>>>>>> Thank you
>>>>>>> Monah
>>>>>>>
>>>>>
>>>>
>>>
>>
More information about the argus
mailing list