I can't seem to get pattern matching to work using the following pattern
and code under ORO 2.0.4
private final String messageRegExp = "(<SOM.*?>[\\x00-\\xff]*?<EOM>)";
messagePattern = getCompiler().compile(messageRegExp);
public TcpMessageFinderResult extractTcpMessage(String buffer)
{
//System.out.println("TCP message is: " + buffer);
Perl5Matcher matcher = new Perl5Matcher();
PatternMatcherInput input = new PatternMatcherInput(buffer);
TcpMessageFinderResult result = new TcpMessageFinderResult();
ArrayList arr = result.getMessages();
String postMatch = null;
//matcher.setMultiline(false);
while (matcher.contains(input, getMessagePattern()))
{
result.setContains(true);
MatchResult matchResult = matcher.getMatch();
if (matchResult.groups() >= 1)
arr.add(matchResult.group(1));
postMatch = input.postMatch();
}
result.setPostMatch(postMatch);
return result;
}
The data bounded by <SOM> and <EOM> tags parses fine when the embedded
data is plain text.
However, when that same data is encrypted (still in ASCII format) the
expression fails to match. I've
tried numerous expressions in an attempt to get this working, but with
no luck. Any help would be greatly
appreciated.
Thanks,
Terry Quigley
P.S. I've enclosed the encrypted data in case that helps.
<<oro.txt>> <<orolog.txt>>
private final String messageRegExp = "(<SOM.*?>[\\x00-\\xff]*?<EOM>)";
messagePattern = getCompiler().compile(messageRegExp);
public TcpMessageFinderResult extractTcpMessage(String buffer)
{
//System.out.println("TCP message is: " + buffer);
Perl5Matcher matcher = new Perl5Matcher();
PatternMatcherInput input = new PatternMatcherInput(buffer);
TcpMessageFinderResult result = new TcpMessageFinderResult();
ArrayList arr = result.getMessages();
String postMatch = null;
//matcher.setMultiline(false);
while (matcher.contains(input, getMessagePattern()))
{
result.setContains(true);
MatchResult matchResult = matcher.getMatch();
if (matchResult.groups() >= 1)
arr.add(matchResult.group(1));
postMatch = input.postMatch();
}
result.setPostMatch(postMatch);
return result;
}
TCP message is: <SOM
TYPE='REQUESTRESPONSE'>eScan_Eye|247|1014239667019|02|<NUL>|All_systems|NmapPing|Emprise
Test|192.168.1.131|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|0000|1|0|1|0|0|0000|192.168.1.106|MDYyNzA2MTI4MjUy|[EMAIL PROTECTED]|1|0|<NUL>|SCAN
COMPLETED SUCCESSFULLY<EOM><SOM TYPE='FILENAME' UTILITY='NMAP'>nmapT.txt<EOM><SOM
TYPE='FILESIZE' UTILITY='NMAP'>2504<EOM><SOM TYPE='FILEDATA'
UTILITY='NMAP'>@Pý:3hõut?"ô¡©±q�ot˜6ß"¿MÔ©Ž1õáw‰z�j(–Ž�y�?�¼ìÉD…1�ó�i¡�Ôß�hsÎá€7»½�q�‚•D.ÿÁJëàðô.�:×?«‘>óÒ‘p>Çö?†$�îðf
Ó[lë©~ÃfÓ¼Ã|½Ëtš¾�23Q¡F‰Ò‹¹OöÔŽ>4ÏÄÈÞ.:lÓ%øžHï"jñ�ˆ~±Daà�K«F¡^°ä�?2�©D�Á�ÂÇ�§ýAk՛Ϥô¨3�ã#dRñ?à‹¦ˆ€?Cío!p†Ë“p%�Í©½
f?P=_æX��ƒ?n£ç¹X²IK�oY)��û&�»ÝÁª.Äö¿˜{L‰·ssó;zÞÓ`ÊŽö§f�Gîß�Ê�U·?ù�û�I‚�G1Ë�Üuì��¸O“Q
V=ÓiÛ?ç„`¡�…?�rŠ5†ÉLü9uÖêb«WSLJ�º�at)Æz_zòÿ«©æmxÏZ«Ó18O�™¾d)ºù[z„}?ò?ÑŽ�য়›4›q;�
è}‹q·âÊu
.L.Àq˜á»
·Qý�>ŒÈ`N]<<)6aÚÛà;Æ›©M;¼�ÿ�}ï2ŒI_á�Íñ�êšyÝø�xhêHðûùá"!xF�šÐ¶9?÷{\§„Î�À˜<HIy+ö�Õ%Ô‘ µñb�¾»�Â2�·éÛ= Ñ1e?P�?W�èÞ•v��¹$CA�Å�c!�8`û�%?sþmâÛˆ°¥q�Á;�W�!tªŽ�©*o½ôFm]?ƒ�¸7ñ�”ZZ;°î~�'n1ñ
HÖÝ‘��5�åýœi(Þ˜xœŒ¨˜¤SÆ‘>æh�ýÙ¥�
Ûá�‹î�ÿöÊù”‚#¦ÐÚð¿%"Vô\xž¹¸[gû5áÛ[ÅŒXÃL²ŠÏ¾³êœ8dæÛ�Öá�ú,�ãq„tž@�Ô‚§¿�W¶K�ñ°î/�Æ,�£!Zi—k�Æ
NPb:”Í�ÒôǶò*�xÊÕÚ*«ãÖžqÐ.*ÊÒ
óu%ßÕû�-´èC¾õ7�a7›ºëÍvº®(Šuÿ¬I�"e�ez²�ÜqÑ�Cxž
¡–�ê�¸�‡¯îוÏÐÔ)²JT�Nss²Iº5|¤cAš>
þJð4?>èß¡è�lýÎ�aà�¥ìk?@Ô�t�Ôñ$�Œ§oUÉ¡0M�K»ë¦Tòaž18þx�÷�½™AãA�Ä#•h?Ù�U8=È0�(íÑ?ú##¦R©|¶}Е1l'†½Q…œ‘âHW¦Æ�5`?»/Êr�Ôå†�³`&Æ‚s™¶æï¯Sç`ÐE²�a�ÄCóo{?¡ëùh�?‚“šFˆ?ñ‘Lúão�£‰ð(aFá駩Âkc�Åâÿ1“Q!�¡ˆ
Ÿ£“FÛÿlá-ûï'.Aâ+êÝ”?�ún<ž�<@“¾ý,°¶s�\áemòÒ�7‹EC‚Qú62eà? Yn ¦²
Ï‘…£�bz�A¥�ø@vAÕ�î�<ÇQfÕ?á�‚+2!"ç”?¦®»g�ªÚ^��Љ΄Ç0X”4dz¹÷æ$p�kžPIì.Ì©ÖKŸ
õ��NüL•�D
î‘IY˜�?��9��)v/’ðW´ p1�Ž�;Êø²®°ý?Åú)9e^ËÕg$;4!€ÑÉJ›ÄÝÁ6;n[‚�»AˆøVžýøQJª$mÎ%ˆ
�E££ÿYs–on«}�S¾.d©Ç ÚÅwj¨G²Æ?gÂÁX3Î��j"Ü—zà!ÍôÕUâL€�îÄwS¸:Þhž3òNú�Õ\?�Oª�¾Ü»À�ŠŽ
´™F˜ÿ�¾2#�u8�¬ˆàÂ�€�¿oŽßuT5�E¯Ð?°Ïm/���1¯?*un¥Îõ�µ90²¾ƒï½S�¿ô,?@·©(\îy‘S)/«BÈKš‚
Ê„ŠG!S
ÖÀ5åÁÔôõÆ$]qÀ�–�ßÏ×��6µNæØ…8ò�1ÝF9%?�
àÌ„üxgó5bë?ɧƒåÜóÙ�ÙìÐ%œÆ$±àYƒd?ÿßãÑ`ÅOáÙº�²g÷cHa�a«ä`Í9~WIüãä
À3KÎbÀÏóÈ;=Ò�uìAºNqAÏÑ�Õ‹?�
£Æó(/;·úvÎçåð1Ò�p»¿-�™�Lf1œÆÓè{?3T³o�—�ÏL s
ÿïBS�¿8š¬*ûÿTdz˜¹?3�<Vã°;îÙR�4Òg¼GO¹�[û,š?n|”‹ÉÀ—§dWfH°©·¢l6…3’=DƒTŠbÿØ?^¬Ïº�lÂCᯃ@pHŽ~XÌàZPüõ¾—�æ»Ì
�f�‹
�¸�%u‘‹W�
*½¢Ã"%rM´Û?ññ0“�QÍ�~Ü{²{Rø?†*¦ÞçJÀ?Ý�€êLOÊ|Hk4åºI?lÎݬ�ŠEôOð·*=Š¥•'-ÿèÓüNÅð?úóyÜ÷Ày4¯I�sš!öW¦»ôSž‚õ!í�&Í^
¾[Aݯ5`—¥]9Q{�?Ö™P»�·�°0Ö
¾›À�Mé# Ö�ú�V�ŒYMë‰
·²¿‰¬ìüýî`&V°†o¼s%5MT„פ^?ûß¡,^ÈL¬WZ�ºâ�ÃÀSv�Ûa+Ê?¤ù‘xÃê+j#Û?‹ß©+î��øÌ]C³é"së_´Að÷꣗å��óGm»J?QWæ?
Õ�ÈR�O—*n�G†�#£?Œ�˜å»Yîpw�+}>ƒ/gø�Ä*ˆdŠ?0�-¹ÿ�<Eð3±ÜñgsTl§pΰ»8"4%�<š•þš�ª?·
ÓÈ�é_�z“™$Û�}Kë==�;"6g�“x¡?ëŽ~Ù?� °5��îVÍß®9ŠæïÅ8r
?»<õàðoÑBosó^Þ~":º°ÐB(�aÂ÷±�?�áÓ�: ª
’g¾†Rq9ü0âU5j�‹«r¾)Àvûˆý4?�9ü0âU5jü>Ô_[´õ�6±xAa%Ö2??þ?sÅ<ð
ÐXµ6Ôªô"ÅÇ8ë°Ëév((Û{§x@òæ.U¬™?Ý|e0jª³kâHn÷=��
)÷�
÷¬é�U¹L8A˜‰!‚·ÜC»uçŽ�N#ÊU«�îVàÕ)¢ÔdÀ�œ™Ô�äIÆb�Á�f�§ìÃC�ãÁöii(¶¿/:øÇ…¥?�$üÕþÕUkEÑ:‘Ù.¶¯6ÑÓ/`$ �bÕ«É�¸/
m�sWVFR®6Z[}ؘ¢Bõø/ðªÉX©/QØzª¬~²…Ñ‘ËÉS¢‘O§„�Ä"~‡uŒ:f!ªìÇÎ txþÁjw¹ö¤úÀéÓ2M2‡Ä;]?��
1‡
Àä3™Ÿ¾i �êp‹óš„*¿s´³�¯¶Ö�êKA…¢4Z�>í'¸sÆ÷ùð�©‡qUdRñ?à‹¦ˆ®YªÝòqOb$Àóés_äc<EOM>
TCP message is: <SOM TYPE='STATUS'>Encrypting the scan output files<EOM><SOM
TYPE='STATUS'>Encrypting the scan output files completed<EOM><SOM
TYPE='STATUS'>Transferring Nmap scan output files<EOM><SOM TYPE='STATUS'>Transferring
Nmap scan output files completed<EOM>
Pattern match against messageRegExp.
Pattern match against messageRegExp.
group 1: <SOM
TYPE='REQUESTRESPONSE'>eScan_Eye|247|1014239667019|02|<NUL>|All_systems|NmapPing|Emprise
Test|192.168.1.131|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|<NUL>|0000|1|0|1|0|0|0000|192.168.1.106|MDYyNzA2MTI4MjUy|[EMAIL PROTECTED]|1|0|<NUL>|SCAN
COMPLETED SUCCESSFULLY<EOM>
group 1: <SOM TYPE='STATUS'>Encrypting the scan output files<EOM>
Pattern match against messageRegExp.
Pattern match against messageRegExp.
group 1: <SOM TYPE='FILENAME' UTILITY='NMAP'>nmapT.txt<EOM>
group 1: <SOM TYPE='STATUS'>Encrypting the scan output files completed<EOM>
Pattern match against messageRegExp.
Pattern match against messageRegExp.
group 1: <SOM TYPE='FILESIZE' UTILITY='NMAP'>2504<EOM>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
