[Bro] Bro: TCP, regex
Adayadil Thomas
adayadil.thomas at gmail.com
Wed Nov 7 11:54:26 PST 2007
Greetings.
I have a question regarding bro's analysis.
Consider a TCP connection, as the segments come in they are being
'deliver'ed to different analyzers.
If there are out of order segments, then the TCP Reassembler stores
them and delivers them in order.
Now at the later stages, if a regular expression matching is done,
will it match across different deliveries?
For e.g. if a regex is trying to match across 'N' bytes where N is
large (say 1MB). Is this possible with Bro?
Or the window for matching is smaller?
e.g.
TCP connection established
<start of data> (regular expression partially matched)
<more data>
...1MB data
<end of data> (regular expression match completed)
Is a regular expr match like this possible with bro?
More information about the Bro
mailing list