Re: Small Problem w/RegEx for Service Detection...

["Paul Tod Rieger" <prie () abl com>]

Jay Freeman (saurik) <saurik () saurik com> noted:

> The real crux of the problem is that Expect's parser isn't any better than
> regcomp().  [...]  It doesn't have internal escaping, takes even fewer
> arguments (a single "char *"), and has almost the same error message for
> trying exact escaping of '\0':
> [...]
> When working with applications that shoot back binary data it becomes
> just as annoying to work with as nmap+V

Yeah, the author of Expect agrees with you:  On pp. 155-157 of Exploring
Expect (the rhesus monkey book?), Don Libes discusses Expecting a Null
Character:

remove_nulls 0      ;# disable null removal
expect null             ;# match a null

While the user can search for only a null, any characters skipped over can
be found in "expect_out(buffer)".  Libes gives an example of a procedure
that calculates the value of a 4-byte integer that may contain binary
zeroes.  He concludes:

"This approach to handling null bytes may seem slow and awkward (and it is),
[...]  The tradeoff of allowing null to be handled differently is that it
allows the rest of Tcl to be much simpler than it otherwise would be."

He seems to agree that there just isn't going to be a fast and elegant way
to handle binary protocols with regexp.  Slow and awkward is to be ...
expected.

Tod
abl.com



---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).