[Bro] NUL-related error messages

Robin Sommer robin at icir.org
Mon Nov 3 10:43:59 PST 2008


On Thu, Oct 30, 2008 at 10:27 +0100, you wrote:

> Do i need to somehow preprocess the data string before matching it? How 
> can I make Bro successfully match such payloads?

I think match_pattern() does indeed not deal well with strings
containing null bytes. Not sure how easy it would be to fix that. 

Depending, on what exactly you want to do, you could try to work
around that:

- ignore the warnings if you aren't interested in these particular
strings anyway 

- use the "/pattern/ in data" operator if that's sufficient 

- see if one of the other string functions in string.bif provide
enough functionality and work better (likely not)

- escape the data with string_escape() and adjust the regexp if
necessary 

All not very nice, admitably.

Robin

-- 
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org 
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the Bro mailing list