[Bro-Dev] patterns and &&/|| vs. &/| operators

Vern Paxson vern at corelight.com
Thu Jun 21 14:25:48 PDT 2018


> though maybe p1 + p2 would be even better at expressing that
> concatenation is happening?

I think this is somewhat problematic, since '+' already has a
regular-expression meaning which is different.  In addition, '&' is
a more natural dual to '|' than '+' is.  Indeed, in some contexts
'|' and '+' are synonyms (e.g., I originally wanted them both for
set union).

> I also notice from [1]:
> 
>     `r/s': an `r' but only if it is followed by an `s' ...
> 
> Maybe another option?

Note that Bro's REs don't support that ... and in general that operator
is a PITA to support correctly+efficiently.  It would also step on the
current syntax of '/'s being used to express /re/ 's.

> Just making suggestions since I didn't quite get what p1 & p2 would do at first.

Interestingly, I discovered that we have a BIF merge_pattern(p1, p2) which
does the same thing as "p1 & p2" (in the new syntax).  As best as I can
tell it's not used anywhere - plus it's funky (only allows itself to be
called if Bro isn't processing traffic yet).  Perhaps we can deprecate it, too?

		Vern


More information about the bro-dev mailing list