[ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jon Siwek updated BIT-844: -------------------------- Fix Version/s: 2.4 > UDP payload signature patterns don't match packet-wise > ------------------------------------------------------ > > Key: BIT-844 > URL: https://bro-tracker.atlassian.net/browse/BIT-844 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Affects Versions: git/master > Reporter: Jon Siwek > Assignee: Jon Siwek > Priority: Low > Fix For: 2.4 > > > The docs say: > {noformat} > Regular expressions are implicitly anchored, i.e., they work as if prefixed > with the ^ operator. For reassembled TCP connections, they are anchored at > the first byte of the payload stream. For all other connections, they are > anchored at the first payload byte of each packet. To match at arbitrary > positions, you can prefix the regular expression with .*, as done in the > examples above. > {noformat} > But for a UDP connection made up of 2 packets with payloads "XXXX'" and then > "YYYY", I still need the ".*" prefix to match on the 2nd: > {noformat} > signature yyyy { > ip-proto = udp > payload /.*YYYY/ > event "Found YYYY" > } > {noformat} > Changing the pattern to {{/YYYY/}} or {{/^YYYY/}} results in no match (but > does match if I flip order of packets). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev