[Bro] Patterns and Word Boundaries

Lloyd Brown lloyd_brown at byu.edu
Thu Oct 22 14:32:09 PDT 2015


For future list-viewers, yes, I was missing something obvious.  The word
boundaries are genuinely missing, but I was using the shortcuts like
'[:space:]' incorrectly.

In short, '[:space:]' and others like it, are not character classes
themselves, but they can exist in a character class.  The '[:space:]' is
not the equivalent of '[ \f\n\r\t\v]', but '[[:space:]]' is.

Thanks for the feedback on this, Robin.  Sorry for the unnecessary list
noise.

Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

On 10/22/2015 11:08 AM, Lloyd Brown wrote:
> Well, okay.  From what I can tell experimentally, it doesn't have
> working shortcuts like "\s" or "[:space:]" either, so I guess I'm left
> to do it more like *this* attachment.
> 
> Unless I'm missing something obvious.  I'd be happy to be wrong on this one.
> 
> Lloyd Brown
> Systems Administrator
> Fulton Supercomputing Lab
> Brigham Young University
> http://marylou.byu.edu
> 
> On 10/22/2015 10:03 AM, Samuel Oehlert wrote:
>> I know Bro's regex syntax is almost exactly the same as Flex (only
>> differing in some very edge cases). I am not positive, but from a
>> cursory google it seems Flex doesn't understand word boundaries.
>>
>> -Sam
>>
>> On Thu, Oct 22, 2015 at 8:05 AM, Lloyd Brown <lloyd_brown at byu.edu
>> <mailto:lloyd_brown at byu.edu>> wrote:
>>
>>     Hopefully this isn't too simplistic of a question, but I'm just getting
>>     started with Bro.
>>
>>     In the text pattern syntax for Bro [1], is there an easy way to define
>>     word boundaries, similar to how some of the RegEx dialects use '\b',
>>     '\<', '\>', etc.? [2]
>>
>>     I'm trying to match for specific strings in a data stream.  For example,
>>     the word "nmap".  I'm trying several approaches, based on past RegEx
>>     knowledge, and I'm having trouble coming up with a single pattern that
>>     would handle it all.  Example bro test script attached; hopefully it's
>>     clear.
>>
>>     Fundamentally, is there a syntax reference for pattern matching, or does
>>     it conform to a commonly known dialect (eg. POSIX-style RegEx, or PCRE
>>     RegEx)?
>>
>>
>>     [1] https://www.bro.org/sphinx/scripting/index.html#pattern
>>     [2] http://www.regular-expressions.info/wordboundaries.html
>>
>>     --
>>     Lloyd Brown
>>     Systems Administrator
>>     Fulton Supercomputing Lab
>>     Brigham Young University
>>     http://marylou.byu.edu
>>
>>     _______________________________________________
>>     Bro mailing list
>>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


More information about the Bro mailing list