[Bro-Dev] patterns and &&/|| vs. &/| operators

Vern Paxson vern at corelight.com
Tue Jun 19 11:21:10 PDT 2018


In working on adding bitwise &/| operators for counts, I've come across
apparently undocumented && and || operators for patterns:

	p1 && p2 yields a pattern that matches a p1 followed by a p2
	p1 || p2 yields a pattern that matches either p1 or p2

Confusingly, Bro also supports "p1 | p2", which means the same as "p1 || p2"
above, but *only* if p1 and p2 are literal patterns, not if they are
variables of type "pattern".  (This functionality is in common use.)
It doesn't support "p1 & p2" in any form.

I searched a large corpus of scripts and didn't find any instances of
"p1 && p2" or "p1 || p2" for literal patterns, so I suspect the current
feature is basically unused.

Proposal: as part of adding bitwise &/| operators for counts, I'll
also implement &/| operators for patterns, and remove the current
&&/|| functionality.

This seems pretty straightforward to me - but I've mistakenly thought
that about other things before! :-P   So if anyone has comments, plz
speak up ...

		Vern


% bro -e 'print (/foo/ && /bar/) in "xfoobary"'
T


More information about the bro-dev mailing list