[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Thu Apr 9 14:52:00 PDT 2015

    [ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20243#comment-20243 ] 

Robin Sommer commented on BIT-844:

Unrelated, I also removed some signature "benchmarking" code that I don't think deserves to be in the production version of the code.

Good call.

One question:

void RuleMatcher::ClearEndpointState(RuleEndpointState* state)
-       ExecPureRules(state, 1);

Why the removal of that method call?

> UDP payload signature patterns don't match packet-wise
> ------------------------------------------------------
>                 Key: BIT-844
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-844
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Robin Sommer
>            Priority: Low
>             Fix For: 2.4
> The docs say:
> {noformat}
> Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above.
> {noformat}
> But for a UDP connection made up of 2 packets with payloads "XXXX'" and then "YYYY", I still need the ".*" prefix to match on the 2nd:
> {noformat}
> signature yyyy {
>  ip-proto = udp
>  payload /.*YYYY/
>  event "Found YYYY"
> }
> {noformat}
> Changing the pattern to {{/YYYY/}} or {{/^YYYY/}} results in no match (but does match if I flip order of packets).

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list