Re: nmap-service-probes matching questions

[Kris Katterjohn <katterjohn () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

doug () hcsw org wrote:
> Hi Kris,

Hey Doug,

> > o Is it better to combine matches like I have done with the first two
> > sets when the difference is small?  Only one word is different between
> > the matches.
>
> Yes, using alternation (abc|def) is fine and is a good idea if the services
> are very similar. Thanks for noticing this in the eggdrop match lines.
> However, there is a small problem with this line and the last one in your
> patch. If you're using the | as the regexp delimiter, you can't use
> alternation because it will interfere with the reading of the regexp.
> In such a case, I usually use / or = as the delimiter. For example:
>
> match login m=^\x01Permission denied ?: Error (35|0|1)\r?\n?$= p/Tru64 Unix logind/ o/Tru64 UNIX/
>
> If m|...(35|0|1)...| was used, this line would be broken.

D'oh! I knew that, I just wasn't thinking.  Thanks.

At least I was 1-for-3 :)

> > o In the third one, is this how it is done to capture the substrings and
> > to have them match correctly?  What are the $N values for these?  This
> > is what it seems like it would be (excluding $1 and $2 which I didn't
> > touch):
> >
> > $3 is the outer () capture, which is either "posting ok" or "no posting"
> > depending on the match
> > $4 is the first inner () capture, which is "posting ok"
> > $5 is the second inner () capture, which is "no posting"
> >
> > Is this correct?
>
> Yes, this is how nested capturing work. If you only want to use alternation
> without capture, use ?:, for example: (?:GET|POST). This is slightly more
> efficient and also you don't need holes in your numbering ie p/$1/ v/$2/ h/$4/.
> Also, keep in mind that (abc|def)? WILL capture a group even if the empty string
> matches this regexp component. In other words, this is the same as (abc|def|).
> Don't even ask about (abc|def)*. :)

Okay, cool, I didn't know about ?:.  I was just basing this off of the
winshell matchline (currently line 2525).

> In your example here:
>
> match nntp m|^20. ([-.\w]+) InterNetNews NNRP server INN (\d[-.\w ]+) ready \(((posting ok)|(no posting))\)\.\r\n| 
> p/InterNetNews (INN)/ h/$1/ v/$2/ i/$3/
>
> I see no reason for nested capture. Why not simply (posting ok|no posting) ?
> (And make sure you use a different regexp delim than | as described above).

I assumed that the alternation would occur around "ok" and "no" rather
than the sets of words because of the spacing.

I guess I should just research the regex semantics I don't use instead
of mailing here :)

> > Sorry if these are simple.  I use vi and [e]grep all the time, with awk
> > and sed fairly often, but I rarely use Perl (gasp!) or anything else
> > with nested captured substrings so I'm clueless here.
>
> nvi+Perl 4life. Read up on perl's -n switch and you will never need awk/sed again.
>
> Thanks for helping,
>
> Doug

Thanks a lot,
Kris Katterjohn

> PS that should be e?grep :)

True, true.. :)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBR/QghP9K37xXYl36AQLYhg/+LVc5SaDVU960IdFQXeEFZ4aDjC1zcl1f
KDqAUE0LFYVf2CjNIuzqiDu1pfJjsP2sEe4Ayt46TRZ23giiJt+V9l+BIspsQeFe
vj6NFZlwwlH7umQqvPBvZE8DB+mQschbnBWAMWxDbu3h7ONY1qSUIgsWMBdjkjSj
FHeS05gWnhvyQsTh+cwcpDu6vuT5egoY+y9px6yyOgEwxI2AGzXYYNC9S2OaGpiI
YiEkxb0Rcq7oyFh0PcbeNLFuzCdt5hUU80MPcuwsIG0gmUzaProd1KLgD+4CEU7q
xvyad/oueUbGrvlGfM0ZyCcwUnoJ9GUn7PKSH1A4JwtzeHyzgSu9mMVoZo6tws4J
/Bt/LWxedxrAi0WAj50otP3DeM1bkxVPHG6ZmryhEc3B50LAMbfzb+9oGcT9bHsL
Pn/dTORBaTGjk9TMmtQYjXToy1pYCGpF/kfsJSirl2l24eVBWa0qwBZ5rDjBhPhT
C+f6ULU4bdEqStRcB8vgDv/37LuAC1cVVTLpxeqdcIvGXmqqZrdsF1UEKIQLVa83
wLGvOMs//EUVlsO5klxAhAZ+VjjJWk6+0wzxgvI6pTpig7cLUH/6uXo2KtpAJCC+
hAD+r5JZK2/rTRZpEkntUVLCNRMArmX0GtSS9oD5gfVDTcKN0dr812iLpBXDbcRm
5D/DbXYHqYg=
=QcBJ
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org