[Bro-Dev] #328: Patch to add programmatic pattern construction at init time. (was: Programmatic pattern construction at init time.)

Bro Tracker bro at tracker.icir.org
Tue Dec 7 12:15:31 PST 2010 

#328: Patch to add programmatic pattern construction at init time.
---------------------+----------------------
  Reporter:  seth    |      Owner:  robin
      Type:  Patch   |     Status:  assigned
  Priority:  Normal  |  Milestone:  Bro1.6
 Component:  Bro     |    Version:
Resolution:          |   Keywords:
---------------------+----------------------
Changes (by seth):

 * owner:   => robin
 * status:  new => assigned
 * type:  Feature Request => Patch


Old description:

> bro.bif contains functions for dynamically creating patterns but they are
> disabled if reading live traffic because the DFA and NFA data structures
> can't be fully cleaned up.  It would be useful to be able to call these
> functions in bro_init handlers regardless of if live traffic is being
> analyzed which should be acceptable for memory concerns but allows
> patterns to be built from configuration variables.
>
> Here are the functions:
>
> {{{
> function merge_pattern%(p1: pattern, p2: pattern%): pattern
> function string_to_pattern%(s: string, convert: bool%): pattern
> }}}

New description:

 bro.bif contains functions for dynamically creating patterns but they are
 disabled if reading live traffic because the DFA and NFA data structures
 can't be fully cleaned up.  It would be useful to be able to call these
 functions in bro_init handlers regardless of if live traffic is being
 analyzed which should be acceptable for memory concerns but allows
 patterns to be built from configuration variables.

 Here are the functions:

 {{{
 function merge_pattern%(p1: pattern, p2: pattern%): pattern
 function string_to_pattern%(s: string, convert: bool%): pattern
 }}}

 ** Updated **

 Now it's possible to use these functions in bro_init handlers.  Previously
 it was possible to use them anywhere if not running on live traffic, but
 that capability has been removed to avoid potential confusion when writing
 scripts.  This code is definitely going to need reviewed, I made changes
 to the Event class that I don't feel completely confident about.

--

Comment:

 Patch attached

-- 
Ticket URL: <http://tracker.icir.org/bro/ticket/328#comment:1>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list