Getting matched substrings ???

Yohann_THOMAS · April 6, 2004, 2:38pm

Hi !

I'm having a look at Bro and I'd like first to congratulate people involved in the project for this great work !!!

The concept of contextual signature language seems very interesting, but I'm having a little problem...In fact, I read in the paper "Bro: A System for Detecting Network Intruders in Real-Time" this phrase about REGEX implementation : "Second, we anticipate matching sets of patterns and wanting to know which subset were matched by a given set of text...". I thought I could get the matched substring by the signatures, but unfortunately I can't get out of it...

Is it possible to get these substrings in a policy script when a signature matches, or am I misunderstanding the quoted phrase ???

Thanks.

Yohann.

robin · April 6, 2004, 4:02pm

event signature_match(state: signature_state, msg: string, data: string)

The 'data' parameter of the signature_match event contains the
payload that lead to the match. (More precisely, it contains the
last chunk of payload that eventually triggered the match; for TCP,
it depends on the reassembly what exactly is passed).

Is this what you're looking for?

Robin

Topic		Replies	Views
Getting matched substrings ??? Zeek	4	101	May 6, 2022
Data truncated in signature_match and misc questions Zeek	4	74	May 6, 2022
signature match bug Zeek	2	90	May 6, 2022
Segmentation fault with RuleMatcher Zeek	7	90	May 6, 2022
Bro: TCP, regex Zeek	4	95	May 6, 2022

Getting matched substrings ???

Related topics