[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Thu Apr 9 15:22:01 PDT 2015 

    [ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20244#comment-20244 ] 

Jon Siwek commented on BIT-844:
-------------------------------

I didn't see anyone actually call RuleMatcher::ClearEndpointState except for what I added in the patch, so I couldn't really even tell if any of the code there was "correct" to start with, so I was mostly just removing things to adapt it specifically to UDP packet-wise matching.

For the removal of that ExecPureRules call specifically, I noticed the comment in FinishEndpoint saying it has it's own ExecPureRules call there match rules at the end of the connection/stream, so I thought maybe that was the original intention of the now-dead-code in ClearEndpointState and just removed it since FinishEndpoint takes care of it.  And the fact the call to ExecPureRules is setting the eos parameter to signal end-of-stream makes me unsure whether it would still be in the right place.  What do you think?

> UDP payload signature patterns don't match packet-wise
> ------------------------------------------------------
>
>                 Key: BIT-844
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-844
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Robin Sommer
>            Priority: Low
>             Fix For: 2.4
>
>
> The docs say:
> {noformat}
> Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above.
> {noformat}
> But for a UDP connection made up of 2 packets with payloads "XXXX'" and then "YYYY", I still need the ".*" prefix to match on the 2nd:
> {noformat}
> signature yyyy {
>  ip-proto = udp
>  payload /.*YYYY/
>  event "Found YYYY"
> }
> {noformat}
> Changing the pattern to {{/YYYY/}} or {{/^YYYY/}} results in no match (but does match if I flip order of packets).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

More information about the bro-dev mailing list