[Bro-Dev] patterns and &&/|| vs. &/| operators
vern at corelight.com
Tue Jun 19 11:21:10 PDT 2018
In working on adding bitwise &/| operators for counts, I've come across
apparently undocumented && and || operators for patterns:
p1 && p2 yields a pattern that matches a p1 followed by a p2
p1 || p2 yields a pattern that matches either p1 or p2
Confusingly, Bro also supports "p1 | p2", which means the same as "p1 || p2"
above, but *only* if p1 and p2 are literal patterns, not if they are
variables of type "pattern". (This functionality is in common use.)
It doesn't support "p1 & p2" in any form.
I searched a large corpus of scripts and didn't find any instances of
"p1 && p2" or "p1 || p2" for literal patterns, so I suspect the current
feature is basically unused.
Proposal: as part of adding bitwise &/| operators for counts, I'll
also implement &/| operators for patterns, and remove the current
This seems pretty straightforward to me - but I've mistakenly thought
that about other things before! :-P So if anyone has comments, plz
speak up ...
% bro -e 'print (/foo/ && /bar/) in "xfoobary"'
More information about the bro-dev