Actually that is what I want (every port on that IP) - It's a second nic on that box that only does one thing (just on a couple different random ports)

I just tried both: PORT "REMOTE=%192.168.22.3:.*" and PORT REMOTE=%192.168.22.3:.*

(without the double quotes) and neither worked.

Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so I know it at least partially works :-)

-jeff

On 5/17/07, Galen Johnson <gjohnson at trantor.org> wrote:

Jeff Newman wrote:

...

All,

Quick question. I have tried every permutation I can think of but basically:

Every PORT example I can find has something similar to:

PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%.:

No example I have seen has it where you KNOW the IP and you DONT know the port, such as:

192.168.22.3:???????????

I need the port string to match an IP with an unknown port number.

If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them.

Ive tried permutations for 2 hours now, and can't figure it out.

Thanks, Jeff

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

Have you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"...

=G=

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

Stll didn't work.

Henrik: I've just counted 60 different variations I have tried ( ()'s "'s etc.. in various places) and still the only thing that works is

PORT REMOTE=192.168.22.3:1234

I cannot get the regex to work. What would be the absolute authoritative way to do this? Is there some sort of log I can look at? BTW server is 4.2, os is redhat as 4

Thanks, Jeff

On 5/17/07, Galen Johnson <gjohnson at trantor.org> wrote:

Jeff Newman wrote:

...

Actually that is what I want (every port on that IP) - It's a second nic on that box that only does one thing (just on a couple different random ports)

I just tried both: PORT "REMOTE=%192.168.22.3:.*" and PORT REMOTE=%192.168.22.3:.*

(without the double quotes) and neither worked.

Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so I know it at least partially works :-)

-jeff

On 5/17/07, Galen Johnson <gjohnson at trantor.org> wrote:

...

Jeff Newman wrote:

...

All,

Quick question. I have tried every permutation I can think of but basically:

Every PORT example I can find has something similar to:

PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%.:

No example I have seen has it where you KNOW the IP and you DONT know the port, such as:

192.168.22.3:???????????

I need the port string to match an IP with an unknown port number.

If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them.

Ive tried permutations for 2 hours now, and can't figure it out.

Thanks, Jeff

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

Have you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"...

=G=

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

Just tried it using pcretest and it works...there are some threads on the list that suggest wrapping the regex in quotes: REMOTE="%192.168.22.3:.*"

Dunno what else to try...

=G=

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

All,

Thank you for your help.

The following is what ended up working:

PORT REMOTE=%192.168.22.3.*

I had to drop the ":" from the output. The netstat returned:

tcp4 0 0 192.168.22.4.40389 192.168.22.3.1261 ESTABLISHED

no colon. Doh.

Thanks again.

-Jeff On 5/21/07, John Glowacki <johng at idttechnology.com> wrote:

The following works for me on redhat as 4, Hobbit server 4.2 with allinone patch, pcre version 6.7.

HOST=hobbit1 PORT REMOTE=%::ffff:10.10.196.120:.* PORT REMOTE=%10.10.128.130:.*

You can run tests in hobbit like this:

../bin/bbcmd ../bin/hobbitd_client --test

2007-05-21 11:02:10 Using default environment file /opt/hobbit/server/etc/hobbitserver.cfg Hostname (.=end, ?=dump, !=reload) []: hobbit1 Hosttype []: linux Test (cpu, mem, disk, proc, log, port): port Need to know netstat columns for 'Local address', 'Remote address' and 'State' Enter columns [4 5 6]: 5 To read 'netstat' data from a file, enter '@FILENAME' at the prompt netstat line: tcp 0 1408 ::ffff:10.10.128.130:22 ::ffff:10.10.196.120:2575 ESTABLISHED netstat line: &green remote=%::ffff:10.10.196.120:.* : (found 1, req. 1 or more) &red remote=%10.10.128.230:.* : (found 0, req. 1 or more) Hostname (.=end, ?=dump, !=reload) [hobbit1]: .

John

Jeff Newman wrote:

...

Stll didn't work.

Henrik: I've just counted 60 different variations I have tried ( ()'s "'s etc.. in various places) and still the only thing that works is

PORT REMOTE=192.168.22.3:1234

I cannot get the regex to work. What would be the absolute authoritative way to do this? Is there some sort of log I can look at? BTW server is 4.2, os is redhat as 4

Thanks, Jeff

On 5/17/07, Galen Johnson <gjohnson at trantor.org> wrote:

...

Jeff Newman wrote:

...

Actually that is what I want (every port on that IP) - It's a second nic on that box that only does one thing (just on a couple different random ports)

I just tried both: PORT "REMOTE=%192.168.22.3:.*" and PORT REMOTE=%192.168.22.3:.*

(without the double quotes) and neither worked.

Again, explicitly stating PORT REMOTE=192.168.22.3:1234 does work, so I know it at least partially works :-)

-jeff

On 5/17/07, Galen Johnson <gjohnson at trantor.org> wrote:

...

Jeff Newman wrote:

...

All,

Quick question. I have tried every permutation I can think of but basically:

Every PORT example I can find has something similar to:

PORT LOCAL=%[.:]22$ (etc...) or PORT LOCAL=%.:

No example I have seen has it where you KNOW the IP and you DONT know the port, such as:

192.168.22.3:???????????

I need the port string to match an IP with an unknown port number.

If I do: PORT REMOTE=192.168.22.3:1234 (saying that netstat has a 1234 established) it works fine, but (again pretending on the port #'s) if a netstat had 3 established connections to ports 1234,1111,23521 I only get the 1234. I want all of them.

Ive tried permutations for 2 hours now, and can't figure it out.

Thanks, Jeff

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

Have you tried "REMOTE=%192.168.22.3:.*"? Now, that will most likely get you every port on that IP...which is probably not what you want...it's usually easier to write it for the ports you want...or "EXREMOTE=%192.168.22.3:.*"...

=G=

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

Just tried it using pcretest and it works...there are some threads on the list that suggest wrapping the regex in quotes: REMOTE="%192.168.22.3:.*"

Dunno what else to try...

=G=

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk

To unsubscribe from the hobbit list, send an e-mail to hobbit-unsubscribe at hswn.dk