Nmap Development mailing list archives
Re: nmap-service-probes matching questions
From: Kris Katterjohn <katterjohn () gmail com>
Date: Wed, 02 Apr 2008 19:10:45 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 doug () hcsw org wrote:
Hi Kris,
Hey Doug,
o Is it better to combine matches like I have done with the first two sets when the difference is small? Only one word is different between the matches.Yes, using alternation (abc|def) is fine and is a good idea if the services are very similar. Thanks for noticing this in the eggdrop match lines. However, there is a small problem with this line and the last one in your patch. If you're using the | as the regexp delimiter, you can't use alternation because it will interfere with the reading of the regexp. In such a case, I usually use / or = as the delimiter. For example: match login m=^\x01Permission denied ?: Error (35|0|1)\r?\n?$= p/Tru64 Unix logind/ o/Tru64 UNIX/ If m|...(35|0|1)...| was used, this line would be broken.
D'oh! I knew that, I just wasn't thinking. Thanks. At least I was 1-for-3 :)
o In the third one, is this how it is done to capture the substrings and to have them match correctly? What are the $N values for these? This is what it seems like it would be (excluding $1 and $2 which I didn't touch): $3 is the outer () capture, which is either "posting ok" or "no posting" depending on the match $4 is the first inner () capture, which is "posting ok" $5 is the second inner () capture, which is "no posting" Is this correct?Yes, this is how nested capturing work. If you only want to use alternation without capture, use ?:, for example: (?:GET|POST). This is slightly more efficient and also you don't need holes in your numbering ie p/$1/ v/$2/ h/$4/. Also, keep in mind that (abc|def)? WILL capture a group even if the empty string matches this regexp component. In other words, this is the same as (abc|def|). Don't even ask about (abc|def)*. :)
Okay, cool, I didn't know about ?:. I was just basing this off of the winshell matchline (currently line 2525).
In your example here: match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(((posting ok)|(no posting))\)\.\r\n| p/InterNetNews (INN)/ h/$1/ v/$2/ i/$3/ I see no reason for nested capture. Why not simply (posting ok|no posting) ? (And make sure you use a different regexp delim than | as described above).
I assumed that the alternation would occur around "ok" and "no" rather than the sets of words because of the spacing. I guess I should just research the regex semantics I don't use instead of mailing here :)
Sorry if these are simple. I use vi and [e]grep all the time, with awk and sed fairly often, but I rarely use Perl (gasp!) or anything else with nested captured substrings so I'm clueless here.nvi+Perl 4life. Read up on perl's -n switch and you will never need awk/sed again. Thanks for helping, Doug
Thanks a lot, Kris Katterjohn
PS that should be e?grep :)
True, true.. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQIVAwUBR/QghP9K37xXYl36AQLYhg/+LVc5SaDVU960IdFQXeEFZ4aDjC1zcl1f KDqAUE0LFYVf2CjNIuzqiDu1pfJjsP2sEe4Ayt46TRZ23giiJt+V9l+BIspsQeFe vj6NFZlwwlH7umQqvPBvZE8DB+mQschbnBWAMWxDbu3h7ONY1qSUIgsWMBdjkjSj FHeS05gWnhvyQsTh+cwcpDu6vuT5egoY+y9px6yyOgEwxI2AGzXYYNC9S2OaGpiI YiEkxb0Rcq7oyFh0PcbeNLFuzCdt5hUU80MPcuwsIG0gmUzaProd1KLgD+4CEU7q xvyad/oueUbGrvlGfM0ZyCcwUnoJ9GUn7PKSH1A4JwtzeHyzgSu9mMVoZo6tws4J /Bt/LWxedxrAi0WAj50otP3DeM1bkxVPHG6ZmryhEc3B50LAMbfzb+9oGcT9bHsL Pn/dTORBaTGjk9TMmtQYjXToy1pYCGpF/kfsJSirl2l24eVBWa0qwBZ5rDjBhPhT C+f6ULU4bdEqStRcB8vgDv/37LuAC1cVVTLpxeqdcIvGXmqqZrdsF1UEKIQLVa83 wLGvOMs//EUVlsO5klxAhAZ+VjjJWk6+0wzxgvI6pTpig7cLUH/6uXo2KtpAJCC+ hAD+r5JZK2/rTRZpEkntUVLCNRMArmX0GtSS9oD5gfVDTcKN0dr812iLpBXDbcRm 5D/DbXYHqYg= =QcBJ -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- nmap-service-probes matching questions Kris Katterjohn (Apr 01)
- Re: nmap-service-probes matching questions doug (Apr 02)
- Re: nmap-service-probes matching questions Kris Katterjohn (Apr 02)
- Re: nmap-service-probes matching questions doug (Apr 02)