[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise

Robin Sommer (JIRA) jira at bro-tracker.atlassian.net
Fri Apr 10 07:45:01 PDT 2015 

    [ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20245#comment-20245 ] 

Robin Sommer commented on BIT-844:
----------------------------------

Looking at the code again, I believe we still need this ExecPureRules() call. it's actually playing a similar role as the one in FinishEndpoint: making sure that at the end of the matching process, we have indeed reported all matches. However, for packet-wise matching, "the end of the matching process" occurs with every packet, i.e., each time the state gets cleared. 
that's also the interpretation of the end-of-stream here; it's essentially reporting lots of little streams to the engine.

So I believe that without this call, there could be matches missing for some forms of "pure" rules (those without any payload patterns). It's unlikely and these are rarely used these days anyways, and I'm not gonna bother finding a test case, but I'll add the call back in; shouldn't change anything else anyways.


> UDP payload signature patterns don't match packet-wise
> ------------------------------------------------------
>
>                 Key: BIT-844
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-844
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Robin Sommer
>            Priority: Low
>             Fix For: 2.4
>
>
> The docs say:
> {noformat}
> Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above.
> {noformat}
> But for a UDP connection made up of 2 packets with payloads "XXXX'" and then "YYYY", I still need the ".*" prefix to match on the 2nd:
> {noformat}
> signature yyyy {
>  ip-proto = udp
>  payload /.*YYYY/
>  event "Found YYYY"
> }
> {noformat}
> Changing the pattern to {{/YYYY/}} or {{/^YYYY/}} results in no match (but does match if I flip order of packets).



--
This message was sent by Atlassian JIRA
(v6.4-OD-16-006#64014)

More information about the bro-dev mailing list