[Bro-Dev] patterns and &&/|| vs. &/| operators

Jon Siwek jsiwek at corelight.com
Thu Jun 21 15:19:38 PDT 2018


On Thu, Jun 21, 2018 at 4:25 PM Vern Paxson <vern at corelight.com> wrote:
>
> > though maybe p1 + p2 would be even better at expressing that
> > concatenation is happening?
>
> I think this is somewhat problematic, since '+' already has a
> regular-expression meaning which is different.  In addition, '&' is
> a more natural dual to '|' than '+' is.

Yeah, agree w/ that.

> Interestingly, I discovered that we have a BIF merge_pattern(p1, p2) which
> does the same thing as "p1 & p2" (in the new syntax).  As best as I can
> tell it's not used anywhere - plus it's funky (only allows itself to be
> called if Bro isn't processing traffic yet).  Perhaps we can deprecate it, too?

If there actually is no (longer) problems with concatenating patterns
at run-time, I'd agree to deprecate.

I'm imagine it existed because there was such a problem with
dynamically creating patterns at run-time, but don't know/remember
what it was.

- Jon


More information about the bro-dev mailing list