Re: grep regex to perl regex

Replies are listed 'Best First'.
Re^2: grep regex to perl regex by jrdepriest (Initiate) on Feb 16, 2005 at 20:25 UTC
I am actually just trying to look into it for the authors of The Sleuth Kit and Autopsy. In their newsletter #13, Brian Carrier says: <quote> Have you ever noticed that the number of occurrences and locations of keywords for regular expressions in Autopsy are not always accurate? This came up on one of the mailing lists this past month and I'll explain it again here. Previous issues of The Informer have covered keyword searching, but the general idea in Autopsy is that it runs the 'strings' command on the image file and then uses 'grep' to find the keyword. The 'strings' command returns a long ASCII string that grep examines. If the keyword is found in the string, then grep fill flag the string and autopsy will search the string to find the exact location of the keyword. This is easy if a non-regular expression is used, but much more difficult with regular expressions because 'grep' regular expressions are different from Perl regular expressions. I do not have a way to convert the grep regular expression to Perl and therefore I only return the number of big strings that have the keyword and the location of the start of the big string. There could be more than one keyword in the string, in which case the total occurrences value is too small. The location will also be off because it points to the start of the large string and not the specific keyword. If anyone knows of, or wants to write, a grep to perl regular expression converter, let me know so that we can update this. </quote> So I'm not really sure if he is talking about grep's regular regular expressions or grep's extended regular expressions or if it even matters. According to my regex book, all you would need to do is escape some stuff in grep that doesn't get escaped in egrep or perl and don't try to create (?:<stuff>) syntax in grep. I just want to check with the experts before I start sending emails to The SleuthKit team. -Jason	[reply]

Replies are listed 'Best First'.

Re^2: grep regex to perl regex
by jrdepriest (Initiate) on Feb 16, 2005 at 20:25 UTC

In their newsletter #13, Brian Carrier says:

<quote>

Have you ever noticed that the number of occurrences and locations of keywords for regular expressions in Autopsy are not always accurate? This came up on one of the mailing lists this past month and I'll explain it again here.

Previous issues of The Informer have covered keyword searching, but the general idea in Autopsy is that it runs the 'strings' command on the image file and then uses 'grep' to find the keyword. The 'strings' command returns a long ASCII string that grep examines. If the keyword is found in the string, then grep fill flag the string and autopsy will search the string to find the exact location of the keyword.

This is easy if a non-regular expression is used, but much more difficult with regular expressions because 'grep' regular expressions are different from Perl regular expressions. I do not have a way to convert the grep regular expression to Perl and therefore I only return the number of big strings that have the keyword and the location of the start of the big string. There could be more than one keyword in the string, in which case the total occurrences value is too small. The location will also be off because it points to the start of the large string and not the specific keyword.

If anyone knows of, or wants to write, a grep to perl regular expression converter, let me know so that we can update this.

</quote>

So I'm not really sure if he is talking about grep's regular regular expressions or grep's extended regular expressions or if it even matters.

According to my regex book, all you would need to do is escape some stuff in grep that doesn't get escaped in egrep or perl and don't try to create (?:<stuff>) syntax in grep.

I just want to check with the experts before I start sending emails to The SleuthKit team. -Jason

[reply]