I can't seem to get pattern matching to work using the following pattern and code under ORO 2.0.4
private final String messageRegExp = "(<SOM.*?>[\\x00-\\xff]*?<EOM>)"; messagePattern = getCompiler().compile(messageRegExp); public TcpMessageFinderResult extractTcpMessage(String buffer) { //System.out.println("TCP message is: " + buffer); Perl5Matcher matcher = new Perl5Matcher(); PatternMatcherInput input = new PatternMatcherInput(buffer); TcpMessageFinderResult result = new TcpMessageFinderResult(); ArrayList arr = result.getMessages(); String postMatch = null; //matcher.setMultiline(false); while (matcher.contains(input, getMessagePattern())) { result.setContains(true); MatchResult matchResult = matcher.getMatch(); if (matchResult.groups() >= 1) arr.add(matchResult.group(1)); postMatch = input.postMatch(); } result.setPostMatch(postMatch); return result; } The data bounded by <SOM> and <EOM> tags parses fine when the embedded data is plain text. However, when that same data is encrypted (still in ASCII format) the expression fails to match. I've tried numerous expressions in an attempt to get this working, but with no luck. Any help would be greatly appreciated. Thanks, Terry Quigley P.S. I've enclosed the encrypted data in case that helps. <<oro.txt>> <<orolog.txt>>
private final String messageRegExp = "(<SOM.*?>[\\x00-\\xff]*?<EOM>)"; messagePattern = getCompiler().compile(messageRegExp); public TcpMessageFinderResult extractTcpMessage(String buffer) { //System.out.println("TCP message is: " + buffer); Perl5Matcher matcher = new Perl5Matcher(); PatternMatcherInput input = new PatternMatcherInput(buffer); TcpMessageFinderResult result = new TcpMessageFinderResult(); ArrayList arr = result.getMessages(); String postMatch = null; //matcher.setMultiline(false); while (matcher.contains(input, getMessagePattern())) { result.setContains(true); MatchResult matchResult = matcher.getMatch(); if (matchResult.groups() >= 1) arr.add(matchResult.group(1)); postMatch = input.postMatch(); } result.setPostMatch(postMatch); return result; }
TCP message is: <SOM TYPE='REQUESTRESPONSE'>eScan_Eye|247|1014239667019|02|<NUL>|All_systems|NmapPing|Emprise Test|192.168.1.131|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|0000|1|0|1|0|0|0000|192.168.1.106|MDYyNzA2MTI4MjUy|[EMAIL PROTECTED]|1|0|<NUL>|SCAN COMPLETED SUCCESSFULLY<EOM><SOM TYPE='FILENAME' UTILITY='NMAP'>nmapT.txt<EOM><SOM TYPE='FILESIZE' UTILITY='NMAP'>2504<EOM><SOM TYPE='FILEDATA' UTILITY='NMAP'>@Pý:3hõut?"ô¡©±qot˜6ß"¿MÔ©Ž1õáw‰zj(–Žy?¼ìÉD…1ói¡ÔßhsÎá€7»½q‚•D.ÿÁJëàðô.:×?«‘>óÒ‘p>Çö?†$îðf Ó[lë©~ÃfÓ¼Ã|½Ëtš¾23Q¡F‰Ò‹¹OöÔŽ>4ÏÄÈÞ.:lÓ%øžHï"jñˆ~±DaàK«F¡^°ä?2©DÁÂǧýAk՛Ϥô¨3ã#dRñ?à‹¦ˆ€?Cío!p†Ë“p%Í©½ f?P=_æXƒ?n£ç¹X²IKoY)û&»ÝÁª.Äö¿˜{L‰·ssó;zÞÓ`ÊŽö§fGîßÊU·?ùûI‚G1ËÜuì¸O“Q V=ÓiÛ?ç„`¡…?rŠ5†ÉLü9uÖêb«WSLJºat)Æz_zòÿ«©æmxÏZ«Ó18O™¾d)ºù[z„}?ò?юয়›4›q; è}‹q·âÊu .L.Àq˜á» ·Qý>ŒÈ`N]<<)6aÚÛà;Æ›©M;¼ÿ}ï2ŒI_áÍñêšyÝøxhêHðûùá"!xFšÐ¶9?÷{\§„ÎÀ˜<HIy+öÕ%Ô‘ µñb¾»Â2·éÛ= Ñ1e?P?WèÞ•v¹$CAÅc!8`û%?sþmâÛˆ°¥qÁ;W!tªŽ©*o½ôFm]?ƒ¸7ñ”ZZ;°î~'n1ñ HÖÝ‘5åýœi(Þ˜xœŒ¨˜¤SÆ‘>æhýÙ¥ Ûá‹îÿöÊù”‚#¦ÐÚð¿%"Vô\xž¹¸[gû5áÛ[ÅŒXÃL²ŠÏ¾³êœ8dæÛÖáú,ãq„tž@Ô‚§¿W¶Kñ°î/Æ,£!Zi—kÆ NPb:”ÍÒôǶò*xÊÕÚ*«ãÖžqÐ.*ÊÒ óu%ßÕû-´èC¾õ7a7›ºëÍvº®(Šuÿ¬I"eez²ÜqÑCxž ¡–긇¯îוÏÐÔ)²JTNss²Iº5|¤cAš> þJð4?>èß¡èlýÎaà¥ìk?@ÔtÔñ$Œ§oUÉ¡0MK»ë¦Tòaž18þx÷½™AãAÄ#•h?ÙU8=È0(íÑ?ú##¦R©|¶}Е1l'†½Q…œ‘âHW¦Æ5`?»/ÊrÔ决`&Æ‚s™¶æï¯Sç`ÐE²aÄCóo{?¡ëùh?‚“šFˆ?ñ‘Lúão£‰ð(aFá駩ÂkcÅâÿ1“Q!¡ˆ Ÿ£“FÛÿlá-ûï'.Aâ+êÝ”?ún<ž<@“¾ý,°¶s\áemòÒ7‹EC‚Qú62eà? Yn ¦² Ï‘…£bzA¥ø@vAÕî<ÇQfÕ?á‚+2!"ç”?¦®»gªÚ^Љ΄Ç0X”4dz¹÷æ$pkžPIì.Ì©ÖKŸ õNüL•D î‘IY˜?9)v/’ðW´ p1Ž;Êø²®°ý?Åú)9e^ËÕg$;4!€ÑÉJ›ÄÝÁ6;n[‚»AˆøVžýøQJª$mÎ%ˆ E££ÿYs–on«}S¾.d©Ç ÚÅwj¨G²Æ?gÂÁX3Îj"Ü—zà!ÍôÕUâL€îÄwS¸:Þhž3òNúÕ\?Oª¾Ü»ÀŠŽ ´™F˜ÿ¾2#u8¬ˆà€¿oŽßuT5E¯Ð?°Ïm/1¯?*un¥Îõµ90²¾ƒï½S¿ô,?@·©(\îy‘S)/«BÈKš‚ Ê„ŠG!S ÖÀ5åÁÔôõÆ$]qÀ–ßÏ×6µNæØ…8ò1ÝF9%? àÌ„üxgó5bë?ɧƒåÜóÙÙìÐ%œÆ$±àYƒd?ÿßãÑ`ÅOáÙº²g÷cHaa«ä`Í9~WIüãä À3KÎbÀÏóÈ;=ÒuìAºNqAÏÑÕ‹? £Æó(/;·úvÎçåð1Òp»¿-™Lf1œÆÓè{?3T³o—ÏL s ÿïBS¿8š¬*ûÿTdz˜¹?3<Vã°;îÙR4Òg¼GO¹[û,š?n|”‹ÉÀ—§dWfH°©·¢l6…3’=DƒTŠbÿØ?^¬ÏºlÂCᯃ@pHŽ~XÌàZPüõ¾—æ»Ì f‹ ¸%u‘‹W *½¢Ã"%rM´Û?ññ0“QÍ~Ü{²{Rø?†*¦ÞçJÀ?Ý€êLOÊ|Hk4åºI?lÎݬŠEôOð·*=Š¥•'-ÿèÓüNÅð?úóyÜ÷Ày4¯Isš!öW¦»ôSž‚õ!í&Í^ ¾[Aݯ5`—¥]9Q{?Ö™P»·°0Ö ¾›ÀMé# ÖúVŒYMë‰ ·²¿‰¬ìüýî`&V°†o¼s%5MT„פ^?ûß¡,^ÈL¬WZºâÃÀSvÛa+Ê?¤ù‘xÃê+j#Û?‹ß©+îøÌ]C³é"së_´Að÷꣗åóGm»J?QWæ? ÕÈRO—*nG†#£?Œ˜å»Yîpw+}>ƒ/gøÄ*ˆdŠ?0-¹ÿ<Eð3±ÜñgsTl§pΰ»8"4%<š•þšª?· ÓÈé_z“™$Û}Kë==;"6g“x¡?ëŽ~Ù? °5îVÍß®9ŠæïÅ8r ?»<õàðoÑBosó^Þ~":º°ÐB(aÂ÷±?áÓ: ª ’g¾†Rq9ü0âU5j‹«r¾)Àvûˆý4?9ü0âU5jü>Ô_[´õ6±xAa%Ö2??þ?sÅ<ð ÐXµ6Ôªô"ÅÇ8ë°Ëév((Û{§x@òæ.U¬™?Ý|e0jª³kâHn÷= )÷ ÷¬éU¹L8A˜‰!‚·ÜC»uçŽN#ÊU«îVàÕ)¢ÔdÀœ™ÔäIÆbÁf§ìÃCãÁöii(¶¿/:øÇ…¥?$üÕþÕUkEÑ:‘Ù.¶¯6ÑÓ/`$ bիɸ/ msWVFR®6Z[}ؘ¢Bõø/ðªÉX©/QØzª¬~²…Ñ‘ËÉS¢‘O§„Ä"~‡uŒ:f!ªìÇÎ txþÁjw¹ö¤úÀéÓ2M2‡Ä;]? 1‡ Àä3™Ÿ¾i êp‹óš„*¿s´³¯¶ÖêKA…¢4Z>í'¸sÆ÷ùð©‡qUdRñ?à‹¦ˆ®YªÝòqOb$Àóés_äc<EOM> TCP message is: <SOM TYPE='STATUS'>Encrypting the scan output files<EOM><SOM TYPE='STATUS'>Encrypting the scan output files completed<EOM><SOM TYPE='STATUS'>Transferring Nmap scan output files<EOM><SOM TYPE='STATUS'>Transferring Nmap scan output files completed<EOM> Pattern match against messageRegExp. Pattern match against messageRegExp. group 1: <SOM TYPE='REQUESTRESPONSE'>eScan_Eye|247|1014239667019|02|<NUL>|All_systems|NmapPing|Emprise Test|192.168.1.131|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|0000|1|0|1|0|0|0000|192.168.1.106|MDYyNzA2MTI4MjUy|[EMAIL PROTECTED]|1|0|<NUL>|SCAN COMPLETED SUCCESSFULLY<EOM> group 1: <SOM TYPE='STATUS'>Encrypting the scan output files<EOM> Pattern match against messageRegExp. Pattern match against messageRegExp. group 1: <SOM TYPE='FILENAME' UTILITY='NMAP'>nmapT.txt<EOM> group 1: <SOM TYPE='STATUS'>Encrypting the scan output files completed<EOM> Pattern match against messageRegExp. Pattern match against messageRegExp. group 1: <SOM TYPE='FILESIZE' UTILITY='NMAP'>2504<EOM>
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>