[Bro] Patterns and Word Boundaries
daniel.guerra69 at gmail.com
Thu Oct 22 15:56:28 PDT 2015
Have you read this ??
Regex != Flex
> On 22 Oct 2015, at 23:32, Lloyd Brown <lloyd_brown at byu.edu> wrote:
> For future list-viewers, yes, I was missing something obvious. The word
> boundaries are genuinely missing, but I was using the shortcuts like
> '[:space:]' incorrectly.
> In short, '[:space:]' and others like it, are not character classes
> themselves, but they can exist in a character class. The '[:space:]' is
> not the equivalent of '[ \f\n\r\t\v]', but '[[:space:]]' is.
> Thanks for the feedback on this, Robin. Sorry for the unnecessary list
> Lloyd Brown
> Systems Administrator
> Fulton Supercomputing Lab
> Brigham Young University
> On 10/22/2015 11:08 AM, Lloyd Brown wrote:
>> Well, okay. From what I can tell experimentally, it doesn't have
>> working shortcuts like "\s" or "[:space:]" either, so I guess I'm left
>> to do it more like *this* attachment.
>> Unless I'm missing something obvious. I'd be happy to be wrong on this one.
>> Lloyd Brown
>> Systems Administrator
>> Fulton Supercomputing Lab
>> Brigham Young University
>> On 10/22/2015 10:03 AM, Samuel Oehlert wrote:
>>> I know Bro's regex syntax is almost exactly the same as Flex (only
>>> differing in some very edge cases). I am not positive, but from a
>>> cursory google it seems Flex doesn't understand word boundaries.
>>> On Thu, Oct 22, 2015 at 8:05 AM, Lloyd Brown <lloyd_brown at byu.edu
>>> <mailto:lloyd_brown at byu.edu>> wrote:
>>> Hopefully this isn't too simplistic of a question, but I'm just getting
>>> started with Bro.
>>> In the text pattern syntax for Bro , is there an easy way to define
>>> word boundaries, similar to how some of the RegEx dialects use '\b',
>>> '\<', '\>', etc.? 
>>> I'm trying to match for specific strings in a data stream. For example,
>>> the word "nmap". I'm trying several approaches, based on past RegEx
>>> knowledge, and I'm having trouble coming up with a single pattern that
>>> would handle it all. Example bro test script attached; hopefully it's
>>> Fundamentally, is there a syntax reference for pattern matching, or does
>>> it conform to a commonly known dialect (eg. POSIX-style RegEx, or PCRE
>>>  https://www.bro.org/sphinx/scripting/index.html#pattern
>>>  http://www.regular-expressions.info/wordboundaries.html
>>> Lloyd Brown
>>> Systems Administrator
>>> Fulton Supercomputing Lab
>>> Brigham Young University
>>> Bro mailing list
>>> bro at bro-ids.org <mailto:bro at bro-ids.org>
>>> Bro mailing list
>>> bro at bro-ids.org
> Bro mailing list
> bro at bro-ids.org
More information about the Bro