[Bro] Bro: TCP, regex

[Adayadil Thomas]

> Yes, it will if you're refering to Bro's signatures.
..
> On the scripting layer things work a bit different.

Does the Bro signatures work on a different layer than the
scripting/policy layer ?

>Signature
> matching is performed on the payload *stream* independent of any
> packet boundaries (this is different from Snort, or at least is was
> different when I last looked at it; perhaps things have changed
> these days).

In the code, which are the relevant files I need to look to understand
whether this is done like you mentioned?

RE.cc, TCP_Contents.cc ?


Thanks





On Nov 7, 2007 3:58 PM, Robin Sommer <robin at icir.org> wrote:
>
> On Wed, Nov 07, 2007 at 14:54 -0500, Adayadil Thomas wrote:
>
> > Now at the later stages, if a regular expression matching is done,
> > will it match across different deliveries?
>
> Yes, it will if you're refering to Bro's signatures. Signature
> matching is performed on the payload *stream* independent of any
> packet boundaries (this is different from Snort, or at least is was
> different when I last looked at it; perhaps things have changed
> these days).
>
> On the scripting layer things work a bit different. You can use
> regepxs there to match on a string but the string needs to be
> available completely at that time. You cannot save the matching
> state so that you could later pass in more data. However, that's
> usually not a problem because the core already extracts the right
> semantic units from the protocols on which you can then match. A
> typical example are URLs from HTTP sessions: the core will take care
> that a script always sees complete URLs; the stream reassembly
> happens before the HTTP decoder extract the URLs. So matching a
> regexp on the URL you get from the core will work fine even if in
> the original packet stream the URL crosses packet boundaries.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>