[Bro] count inside a packet, possible?
Ernesto Julio
ehjulio at gmail.com
Mon Aug 6 06:28:44 PDT 2012
Hi,
Wonder if anybody could confirm or not if it is possible to count within
a packet, in Bro. What I mean is: if a single packet contains the string
'6xxx6xxx6xxx6', is it possible to use a counter to determine the number
of characters '6' in the string is 4?
I have been looking at the examples inside Bro where regular expressions
are used, so an option could be '6.+?6.+?6.+?6'. But this might not be
scalable if I need to count for several characters, and in my case, I
don't know the order in which the characters appear in the packet.
I am a Bro newbie, sorry for the question as I understand this might go
against regular practices (as one might prefer to do a fast matching of
a packet). But I am learning and have the question bugging me.
Many thanks,
Ernesto
More information about the Bro
mailing list