[Bro] Patterns and Word Boundaries

Daniel Guerra daniel.guerra69 at gmail.com
Thu Oct 22 15:56:28 PDT 2015


Have you read this ??

http://flex.sourceforge.net/manual/Patterns.html

Regex != Flex 

> On 22 Oct 2015, at 23:32, Lloyd Brown <lloyd_brown at byu.edu> wrote:
> 
> For future list-viewers, yes, I was missing something obvious.  The word
> boundaries are genuinely missing, but I was using the shortcuts like
> '[:space:]' incorrectly.
> 
> In short, '[:space:]' and others like it, are not character classes
> themselves, but they can exist in a character class.  The '[:space:]' is
> not the equivalent of '[ \f\n\r\t\v]', but '[[:space:]]' is.
> 
> Thanks for the feedback on this, Robin.  Sorry for the unnecessary list
> noise.
> 
> Lloyd Brown
> Systems Administrator
> Fulton Supercomputing Lab
> Brigham Young University
> http://marylou.byu.edu
> 
> On 10/22/2015 11:08 AM, Lloyd Brown wrote:
>> Well, okay.  From what I can tell experimentally, it doesn't have
>> working shortcuts like "\s" or "[:space:]" either, so I guess I'm left
>> to do it more like *this* attachment.
>> 
>> Unless I'm missing something obvious.  I'd be happy to be wrong on this one.
>> 
>> Lloyd Brown
>> Systems Administrator
>> Fulton Supercomputing Lab
>> Brigham Young University
>> http://marylou.byu.edu
>> 
>> On 10/22/2015 10:03 AM, Samuel Oehlert wrote:
>>> I know Bro's regex syntax is almost exactly the same as Flex (only
>>> differing in some very edge cases). I am not positive, but from a
>>> cursory google it seems Flex doesn't understand word boundaries.
>>> 
>>> -Sam
>>> 
>>> On Thu, Oct 22, 2015 at 8:05 AM, Lloyd Brown <lloyd_brown at byu.edu
>>> <mailto:lloyd_brown at byu.edu>> wrote:
>>> 
>>>    Hopefully this isn't too simplistic of a question, but I'm just getting
>>>    started with Bro.
>>> 
>>>    In the text pattern syntax for Bro [1], is there an easy way to define
>>>    word boundaries, similar to how some of the RegEx dialects use '\b',
>>>    '\<', '\>', etc.? [2]
>>> 
>>>    I'm trying to match for specific strings in a data stream.  For example,
>>>    the word "nmap".  I'm trying several approaches, based on past RegEx
>>>    knowledge, and I'm having trouble coming up with a single pattern that
>>>    would handle it all.  Example bro test script attached; hopefully it's
>>>    clear.
>>> 
>>>    Fundamentally, is there a syntax reference for pattern matching, or does
>>>    it conform to a commonly known dialect (eg. POSIX-style RegEx, or PCRE
>>>    RegEx)?
>>> 
>>> 
>>>    [1] https://www.bro.org/sphinx/scripting/index.html#pattern
>>>    [2] http://www.regular-expressions.info/wordboundaries.html
>>> 
>>>    --
>>>    Lloyd Brown
>>>    Systems Administrator
>>>    Fulton Supercomputing Lab
>>>    Brigham Young University
>>>    http://marylou.byu.edu
>>> 
>>>    _______________________________________________
>>>    Bro mailing list
>>>    bro at bro-ids.org <mailto:bro at bro-ids.org>
>>>    http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list