[Bro-Dev] UDP payload signatures

Siwek, Jonathan Luke jsiwek at illinois.edu
Mon Jul 2 15:11:56 PDT 2012

Since there are now UDP payload signatures by default for Teredo/AYIYA DPD, we had talked about checking out the potential/necessity for optimizing those signatures to only check for matches on first packets of a connection.  I don't think it's worth doing now because (1) the default settings only do matching on a connection for the first 1K payload and (2) the internals don't seem to support such an option that well because, internally, multiple patterns get compiled together into a DFA to check matching and the interface to it is geared towards checking if any pattern was matched, not checking if a given pattern didn't match.

So does it sound reasonable to leave out this feature?

Unrelated to that, I was checking how UDP payload patterns were actually matched and found unexpected behavior.  The docs say:

"Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above."

But for a UDP connection made up of 2 packets with payloads "XXXX'" and then "YYYY", I still need the ".*" prefix to match on the 2nd:

signature yyyy {
  ip-proto = udp
  payload /.*YYYY/
  event "Found YYYY"

Changing the pattern to /YYYY/ or /^YYYY/ results in no match (but does match if I flip order of packets).  Is the bug in the docs or the code?


More information about the bro-dev mailing list