[
https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20240#comment-20240
]
Jon Siwek commented on BIT-844:
-------------------------------
Fixed in topic/jsiwek/bit-844
Unrelated, I also removed some signature "benchmarking" code that I don't think
deserves to be in the production version of the code.
> UDP payload signature patterns don't match packet-wise
> ------------------------------------------------------
>
> Key: BIT-844
> URL: https://bro-tracker.atlassian.net/browse/BIT-844
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Reporter: Jon Siwek
> Assignee: Jon Siwek
> Priority: Low
> Fix For: 2.4
>
>
> The docs say:
> {noformat}
> Regular expressions are implicitly anchored, i.e., they work as if prefixed
> with the ^ operator. For reassembled TCP connections, they are anchored at
> the first byte of the payload stream. For all other connections, they are
> anchored at the first payload byte of each packet. To match at arbitrary
> positions, you can prefix the regular expression with .*, as done in the
> examples above.
> {noformat}
> But for a UDP connection made up of 2 packets with payloads "XXXX'" and then
> "YYYY", I still need the ".*" prefix to match on the 2nd:
> {noformat}
> signature yyyy {
> ip-proto = udp
> payload /.*YYYY/
> event "Found YYYY"
> }
> {noformat}
> Changing the pattern to {{/YYYY/}} or {{/^YYYY/}} results in no match (but
> does match if I flip order of packets).
--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
