[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Fri Apr 3 11:12:00 PDT 2015


     [ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Robin Sommer updated BIT-844:
-----------------------------
    Priority: Low  (was: Normal)

> UDP payload signature patterns don't match packet-wise
> ------------------------------------------------------
>
>                 Key: BIT-844
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-844
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Priority: Low
>
> The docs say:
> {noformat}
> Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above.
> {noformat}
> But for a UDP connection made up of 2 packets with payloads "XXXX'" and then "YYYY", I still need the ".*" prefix to match on the 2nd:
> {noformat}
> signature yyyy {
>  ip-proto = udp
>  payload /.*YYYY/
>  event "Found YYYY"
> }
> {noformat}
> Changing the pattern to {{/YYYY/}} or {{/^YYYY/}} results in no match (but does match if I flip order of packets).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)


More information about the bro-dev mailing list