[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Mon Apr 6 13:58:00 PDT 2015


     [ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jon Siwek reassigned BIT-844:
-----------------------------

    Assignee:     (was: Jon Siwek)

> UDP payload signature patterns don't match packet-wise
> ------------------------------------------------------
>
>                 Key: BIT-844
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-844
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Priority: Low
>             Fix For: 2.4
>
>
> The docs say:
> {noformat}
> Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above.
> {noformat}
> But for a UDP connection made up of 2 packets with payloads "XXXX'" and then "YYYY", I still need the ".*" prefix to match on the 2nd:
> {noformat}
> signature yyyy {
>  ip-proto = udp
>  payload /.*YYYY/
>  event "Found YYYY"
> }
> {noformat}
> Changing the pattern to {{/YYYY/}} or {{/^YYYY/}} results in no match (but does match if I flip order of packets).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)


More information about the bro-dev mailing list