[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise
[ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robin Sommer reassigned BIT-844: Assignee: Robin Sommer UDP payload signature patterns don't match packet-wise -- Key: BIT-844 URL: https://bro-tracker.atlassian.net/browse/BIT-844 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Robin Sommer Priority: Low Fix For: 2.4 The docs say: {noformat} Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above. {noformat} But for a UDP connection made up of 2 packets with payloads ' and then , I still need the .* prefix to match on the 2nd: {noformat} signature { ip-proto = udp payload /.*/ event Found } {noformat} Changing the pattern to {{//}} or {{/^/}} results in no match (but does match if I flip order of packets). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise
[ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-844: -- Fix Version/s: 2.4 UDP payload signature patterns don't match packet-wise -- Key: BIT-844 URL: https://bro-tracker.atlassian.net/browse/BIT-844 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Jon Siwek Priority: Low Fix For: 2.4 The docs say: {noformat} Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above. {noformat} But for a UDP connection made up of 2 packets with payloads ' and then , I still need the .* prefix to match on the 2nd: {noformat} signature { ip-proto = udp payload /.*/ event Found } {noformat} Changing the pattern to {{//}} or {{/^/}} results in no match (but does match if I flip order of packets). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise
[ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=20240#comment-20240 ] Jon Siwek commented on BIT-844: --- Fixed in topic/jsiwek/bit-844 Unrelated, I also removed some signature benchmarking code that I don't think deserves to be in the production version of the code. UDP payload signature patterns don't match packet-wise -- Key: BIT-844 URL: https://bro-tracker.atlassian.net/browse/BIT-844 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Assignee: Jon Siwek Priority: Low Fix For: 2.4 The docs say: {noformat} Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above. {noformat} But for a UDP connection made up of 2 packets with payloads ' and then , I still need the .* prefix to match on the 2nd: {noformat} signature { ip-proto = udp payload /.*/ event Found } {noformat} Changing the pattern to {{//}} or {{/^/}} results in no match (but does match if I flip order of packets). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise
[ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek updated BIT-844: -- Status: Merge Request (was: Open) UDP payload signature patterns don't match packet-wise -- Key: BIT-844 URL: https://bro-tracker.atlassian.net/browse/BIT-844 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Priority: Low Fix For: 2.4 The docs say: {noformat} Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above. {noformat} But for a UDP connection made up of 2 packets with payloads ' and then , I still need the .* prefix to match on the 2nd: {noformat} signature { ip-proto = udp payload /.*/ event Found } {noformat} Changing the pattern to {{//}} or {{/^/}} results in no match (but does match if I flip order of packets). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
[Bro-Dev] [JIRA] (BIT-844) UDP payload signature patterns don't match packet-wise
[ https://bro-tracker.atlassian.net/browse/BIT-844?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jon Siwek reassigned BIT-844: - Assignee: (was: Jon Siwek) UDP payload signature patterns don't match packet-wise -- Key: BIT-844 URL: https://bro-tracker.atlassian.net/browse/BIT-844 Project: Bro Issue Tracker Issue Type: Problem Components: Bro Affects Versions: git/master Reporter: Jon Siwek Priority: Low Fix For: 2.4 The docs say: {noformat} Regular expressions are implicitly anchored, i.e., they work as if prefixed with the ^ operator. For reassembled TCP connections, they are anchored at the first byte of the payload stream. For all other connections, they are anchored at the first payload byte of each packet. To match at arbitrary positions, you can prefix the regular expression with .*, as done in the examples above. {noformat} But for a UDP connection made up of 2 packets with payloads ' and then , I still need the .* prefix to match on the 2nd: {noformat} signature { ip-proto = udp payload /.*/ event Found } {noformat} Changing the pattern to {{//}} or {{/^/}} results in no match (but does match if I flip order of packets). -- This message was sent by Atlassian JIRA (v6.4-OD-16-006#64014) ___ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev