[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Process Regexp Problems
From: |
Brendan Strejcek |
Subject: |
Re: Process Regexp Problems |
Date: |
Tue, 13 Apr 2004 21:06:55 -0500 |
User-agent: |
Mutt/1.3.28i |
Russell Adams wrote:
> The answer turned out to be:
>
> "[0-9] /usr/sbin/cron"
>
> I tried various methods of detecting the brackets that failed
> miserably.
If you really wanted to match not-brackets you could do it with
a negated character class:
$ echo '[' | egrep '[^[]'
$ echo a | egrep '[^[]'
a
$ echo ']' | egrep '[^]]'
$ echo a | egrep '[^]]'
a
$ echo '[/usr/sbin/cron]' | egrep '[^]]/usr/sbin/cron[^]]'
$ echo a/usr/sbin/cronb | egrep '[^]]/usr/sbin/cron[^]]'
a/usr/sbin/cronb
I'm not sure exactly why you would want to write a process regex in this
manner, but I enjoy regexs so I just thought I would throw it out there.
> This will suffice.
That will match non-root processes named /usr/sbin/cron also... an
atacker might be able to start a fake cron and fool cfagent into not
restarting a service which should be running. Not that this is a clear
and present danger or anything, but why take chances?