I'm having a look at Bro and I'd like first to congratulate people involved in the project for this great work !!!
The concept of contextual signature language seems very interesting, but I'm having a little problem...In fact, I read in the paper "Bro: A System for Detecting Network Intruders in Real-Time" this phrase about REGEX implementation : "Second, we anticipate matching sets of patterns and wanting to know which subset were matched by a given set of text...". I thought I could get the matched substring by the signatures, but unfortunately I can't get out of it...
Is it possible to get these substrings in a policy script when a signature matches, or am I misunderstanding the quoted phrase ???