[Bro-Dev] #844: UDP payload signature patterns don't match packet-wise
Bro Tracker
bro at tracker.bro-ids.org
Tue Jul 3 15:07:22 PDT 2012
#844: UDP payload signature patterns don't match packet-wise
---------------------+------------------------
Reporter: jsiwek | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone:
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
The docs say:
{{{
Regular expressions are implicitly anchored, i.e., they work as if
prefixed with the ^ operator. For reassembled TCP connections, they are
anchored at the first byte of the payload stream. For all other
connections, they are anchored at the first payload byte of each packet.
To match at arbitrary positions, you can prefix the regular expression
with .*, as done in the examples above.
}}}
But for a UDP connection made up of 2 packets with payloads "XXXX'" and
then "YYYY", I still need the ".*" prefix to match on the 2nd:
{{{
signature yyyy {
ip-proto = udp
payload /.*YYYY/
event "Found YYYY"
}
}}}
Changing the pattern to `/YYYY/` or `/^YYYY/` results in no match (but
does match if I flip order of packets).
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/844>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list