Re: [Full-Disclosure] Pattern matching search tool

["Jon O." <jono@xxxxxxxxxxxxxxxxxx>]

On 05-Jan-2005, Paul Schmehl wrote:
> Is anyone aware of a search tool (not Google or search engine aggregation 
> software) that could be used to search our network for "interesting stuff"? 
> It needs to be capable of doing pattern matching similar to perl's regular 
> expression stuff.
> 
> I'm looking for something that, for example, could tell me all the machines 
> on our network that are running copies of phpBB (obvious reasons) so that 
> we could quickly identify potential problem areas.
> 

Paul:

FTimes in dig mode will do this as would webjob programmed with a
specific command to execute. FTimes and webjob are single binaries you
can push out (psexec, login script, etc.) to many machines and run.
FTimes allows a disk search across your entire file system space 
(800+ systems no problem). I've used it during IR events to search for
specific binaries, credit card numbers, keywords, etc. on all the file 
system space in a network. Both the tools can write the data out local to
the host file system or post the data to a webserver via SSL. 

http://ftimes.sourceforge.net/

Therefore, you could deploy FTimes with a specific search string and have
it post the data to a server as the job completes across all your hosts. 
You then grep, import to DB, etc. and search through the data. This
approach allows the admin to view their network's disk space as one
unit and creates a more holistic approach. 

See Example 2. Using dig mode to search for strings:
http://ftimes.sourceforge.net/FTimes/ManPage.shtml

This example demonstrates how to to search files and directories for a set of 
HEX/ASCII strings.

--- strings.cfg ---
DigString=This+box+is+0wn3d
DigString=3l33t
DigString=175.20.1.7
DigString=hacklist@xxxxxxxxxxx
--- strings.cfg ---

ftimes --digauto strings.cfg 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html