[Bro-Dev] patterns and &&/|| vs. &/| operators
vern at corelight.com
Thu Jun 21 14:25:48 PDT 2018
> though maybe p1 + p2 would be even better at expressing that
> concatenation is happening?
I think this is somewhat problematic, since '+' already has a
regular-expression meaning which is different. In addition, '&' is
a more natural dual to '|' than '+' is. Indeed, in some contexts
'|' and '+' are synonyms (e.g., I originally wanted them both for
> I also notice from :
> `r/s': an `r' but only if it is followed by an `s' ...
> Maybe another option?
Note that Bro's REs don't support that ... and in general that operator
is a PITA to support correctly+efficiently. It would also step on the
current syntax of '/'s being used to express /re/ 's.
> Just making suggestions since I didn't quite get what p1 & p2 would do at first.
Interestingly, I discovered that we have a BIF merge_pattern(p1, p2) which
does the same thing as "p1 & p2" (in the new syntax). As best as I can
tell it's not used anywhere - plus it's funky (only allows itself to be
called if Bro isn't processing traffic yet). Perhaps we can deprecate it, too?
More information about the bro-dev