OmniPeek Support

How can i use regular expression in pattern search?

nodscool
Posts: 3
Joined: Wed Jan 27, 2010 7:46 pm

How can i use regular expression in pattern search?

Postby nodscool » Wed Jan 27, 2010 7:53 pm

I have one question. how can i use regex like patter(type:regex, '.*abc') ... I never success any type of regular expression.

We need found malware or html such as webshell.
It has pattern like 'shell("...', so I make filter with regex in advanced mode.
but it don't work properly any type of regular expression syntax and don't show error message.

I received information about filterme plugin, but when I try filterme, installer show message 'Nothing to do'. this situation is every system.
such as windows xp, windows vista, windows 7, and Omnipeek enterprise, basic... installer did't work to every system. so,
How can i install that on our system or use regular expression in filter?

thank you

DJWP
Posts: 687
Joined: Tue Oct 30, 2007 11:42 am

RE: How can i use regular expression in pattern search?

Postby DJWP » Fri Jan 29, 2010 4:16 pm

Make sure you have "Regular Expression" selected in the drop down menu of the Advanced Pattern Filter dialog. Don't check any of the offset boxes, as you want to scan the entire packet for the text.

Please submit your plugin question to the Developer forum and it will be addressed there.

nodscool
Posts: 3
Joined: Wed Jan 27, 2010 7:46 pm

Re: RE: How can i use regular expression in pattern search?

Postby nodscool » Tue Feb 02, 2010 7:54 pm

[quote="DJWP"]Make sure you have "Regular Expression" selected in the drop down menu of the Advanced Pattern Filter dialog. Don't check any of the offset boxes, as you want to scan the entire packet for the text.

Please submit your plugin question to the Developer forum and it will be addressed there.[/quote]

I try this solution. but it is not work properly.
I make the filter as your mentioned.
Opens filter, choose Pattern filter, put pattern 'GET', and then do not check any other option like offset check box.

select the filter, and then click 'Start Capture' button.
I load web page, but it didn't count packets filtered while counted packets received. I open packets that is http protocol. it has 'GET' string.
I test more string as 'GE', 'HTTP', ''GET'', 'GE.*'.
but any string of patten, doesn't work, there was no packets.
I unchecked filter that has RegEx pettern, it receive packets.

I think work properly, but I don't understand this situation.
How can i set filter to make regular expression.


Return to “OmniPeek Support”

Who is online

Users browsing this forum: No registered users and 1 guest