[jira] [Commented] (METRON-870) Add filtering by packet payload to the pcap query

Fri, 21 Apr 2017 06:29:23 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-870?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15978731#comment-15978731
 ] 

ASF GitHub Bot commented on METRON-870:
---------------------------------------

Github user nishihatapalmer commented on the issue:

    https://github.com/apache/incubator-metron/pull/541
  
    There is a slightly out of date (note to self: update this!) syntax 
document at:
    
https://github.com/nishihatapalmer/byteseek/blob/master/src/main/java/net/byteseek/parser/regex/Regular%20Expression%20syntax.txt
    
    It gives an overview of most of the syntax, but some of it is only usable 
by full regexes, not sequence matchers.  In particular it can only accept 
syntax which leads to a fixed length expression, so these are **excluded**:
    
    ```
    *  zero to many
    + one to many
    () groups
    {n,n} n to m copies.
     X | Y alternatives.
    ```
    
    Shorthands defined in this document also do not currently function properly 
(e.g. [ascii].
    
    Finally note that inversion  ^ functions differently to most regular 
expression syntaxes.  The token being inverted is the following token, not the 
entire set.  So most regex would say something like [^ 01 02 03] meaning every 
byte except 01, 02 and 03.  In byteseek this would be ^[ 01 02 03], as you are 
inverting the set.  [ ^01 02 03] is also valid - except you are now specifying 
a set containing everything but 01 (which already covers 02 and 03).
    
     It's fairly easy to create a different parser if necessary, but most of 
byteseek regex syntax is fairly standard - but oriented towards bytes rather 
than strings as the default atomic unit.
    
    Any questions please feel free to ask (and I really must update the syntax 
document!).
    
    Regards,
    
    Matt.


> Add filtering by packet payload to the pcap query
> -------------------------------------------------
>
>                 Key: METRON-870
>                 URL: https://issues.apache.org/jira/browse/METRON-870
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Casey Stella
>
> Currently we have the ability to filter packets in the pcap query tool by 
> header information (src/dest ip/port).  We should be able to filter by binary 
> regex on the packets themselves. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to