[Bro] Patterns and Word Boundaries

Lloyd Brown lloyd_brown at byu.edu
Thu Oct 22 10:08:50 PDT 2015 

Well, okay.  From what I can tell experimentally, it doesn't have
working shortcuts like "\s" or "[:space:]" either, so I guess I'm left
to do it more like *this* attachment.

Unless I'm missing something obvious.  I'd be happy to be wrong on this one.

Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

On 10/22/2015 10:03 AM, Samuel Oehlert wrote:
> I know Bro's regex syntax is almost exactly the same as Flex (only
> differing in some very edge cases). I am not positive, but from a
> cursory google it seems Flex doesn't understand word boundaries.
> 
> -Sam
> 
> On Thu, Oct 22, 2015 at 8:05 AM, Lloyd Brown <lloyd_brown at byu.edu
> <mailto:lloyd_brown at byu.edu>> wrote:
> 
>     Hopefully this isn't too simplistic of a question, but I'm just getting
>     started with Bro.
> 
>     In the text pattern syntax for Bro [1], is there an easy way to define
>     word boundaries, similar to how some of the RegEx dialects use '\b',
>     '\<', '\>', etc.? [2]
> 
>     I'm trying to match for specific strings in a data stream.  For example,
>     the word "nmap".  I'm trying several approaches, based on past RegEx
>     knowledge, and I'm having trouble coming up with a single pattern that
>     would handle it all.  Example bro test script attached; hopefully it's
>     clear.
> 
>     Fundamentally, is there a syntax reference for pattern matching, or does
>     it conform to a commonly known dialect (eg. POSIX-style RegEx, or PCRE
>     RegEx)?
> 
> 
>     [1] https://www.bro.org/sphinx/scripting/index.html#pattern
>     [2] http://www.regular-expressions.info/wordboundaries.html
> 
>     --
>     Lloyd Brown
>     Systems Administrator
>     Fulton Supercomputing Lab
>     Brigham Young University
>     http://marylou.byu.edu
> 
>     _______________________________________________
>     Bro mailing list
>     bro at bro-ids.org <mailto:bro at bro-ids.org>
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> 
-------------- next part --------------
event bro_init() {
	local testcases = set( 
		"nmap", 		#Should match something
		"test nmap", 		#Should match something
		"nmap test", 		#Should match something
		"test nmap test",	#should match something
		"unmapped_entries",	#Should NOT match any of the patterns
		"test\tnmap",		#Should match something
		"nmap\ttest",		#Should match something
		"test\tnmap\ttest"	#Should match something
		);
	local nmap_patterns = vector( 
		/^nmap$/, 
		/^nmap[ \f\n\r\t\v]/,	#This should be the definition of \s or [:space:]
		/[ \f\n\r\t\v]nmap$/,
		/[ \f\n\r\t\v]nmap[ \f\n\r\t\v]/
		);

	for (testcase in testcases) {
		print fmt("Testcase: \"%s\"", testcase);
		for (pi in nmap_patterns) {
			if ( nmap_patterns[pi] in testcase ) {
				print fmt("     Pattern: %s - Matched", nmap_patterns[pi]);
			} else {
				print fmt("     Pattern: %s - Did NOT match", nmap_patterns[pi]);
			}
		}
	}

}

More information about the Bro mailing list