[Bro] http analyzer and de-obfuscating the payload

Vern Paxson vern at icir.org
Wed Oct 13 13:01:20 PDT 2010

> Or this...
> output = string_cat(a, b);

One caveat is that the string_cat approach is essentially O(N^2) in the
size of the reassembled stream, because it winds up repeatedly copying the
entire string.  Ideally we'd fix this under the hood, one fine day ...


More information about the Bro mailing list