[Bro] Bro: TCP, regex

Robin Sommer robin at icir.org
Wed Nov 7 12:58:05 PST 2007

On Wed, Nov 07, 2007 at 14:54 -0500, Adayadil Thomas wrote:

> Now at the later stages, if a regular expression matching is done,
> will it match across different deliveries?

Yes, it will if you're refering to Bro's signatures. Signature
matching is performed on the payload *stream* independent of any
packet boundaries (this is different from Snort, or at least is was
different when I last looked at it; perhaps things have changed
these days). 

On the scripting layer things work a bit different. You can use
regepxs there to match on a string but the string needs to be
available completely at that time. You cannot save the matching
state so that you could later pass in more data. However, that's
usually not a problem because the core already extracts the right
semantic units from the protocols on which you can then match. A
typical example are URLs from HTTP sessions: the core will take care
that a script always sees complete URLs; the stream reassembly
happens before the HTTP decoder extract the URLs. So matching a
regexp on the URL you get from the core will work fine even if in
the original packet stream the URL crosses packet boundaries. 


Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the Bro mailing list