[Bro] Plugin regex issue

[Josh Liburdi]

Hi all,

I have a quick question regarding Bro’s plugin structure. I’m working on a protocol analyzer plugin that works well, except for one thing— I can’t use Binpac's RE primitive type in my protocol.pac file. My suspicion is that regex may need to be explicitly loaded for the plugin. I’ve tested the same code by compiling it into Bro and it works there, just not as a plugin. 

Is anyone (perhaps the Bro team, Robin?) aware of an issue using RE primitives in plugins? Every other primitive type I’ve tested works.

The analyzer is a very early work in progress, but you can find and test the issue if you want: https://github.com/jshlbrd/bro-analyzers/tree/master/stun-protocol-plugin <https://github.com/jshlbrd/bro-analyzers/tree/master/stun-protocol-plugin>

Further details below …

type STUN_UDP_MAGIC_PDU(is_orig: bool) = record {
	message_type:	uint16;
	message_len:		uint16;
	magic_cookie:		RE/\x21\x12\xa4\x42/;
	trans_id:			bytestring &length=12;
	#attributes:		STUN_ATTRIBUTE[] &until($input.length() == 0);
} &byteorder=bigendian &length=message_len+20;

In the record above, when used as a plugin, the magic_cookie is skipped. When compiled, it works as expected.

Thanks!

Josh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151201/5a2f804f/attachment.html