Getting matched substrings ???

[Vern Paxson]

> I read in the paper "Bro: A 
> System for Detecting Network Intruders in Real-Time" this phrase about 
> REGEX implementation : "Second, we anticipate matching sets of patterns 
> and wanting to know which subset were matched by a given set of 
> text...". I thought I could get the matched substring by the signatures, 
> but unfortunately I can't get out of it...

(That text refers to regular-expression matching on general strings, rather
 than the context-based signature analyzer that Robin added to Bro, by the
 way.)

Since writing that, Bro's style has moved more towards pushing extraction
of elements into either the event engine itself, or into built-in functions,
rather than trying to do it using regular expressions over strings.  If it
were easy to add subexpressions to Bro's RE matcher, I'd be happy to do so,
but it's quite a bit of work.

If you give an example of where you want to do this, perhaps we can suggest
alternate ways of structuring your analyzer.

		Vern