Getting matched substrings ???

Hi !

I'm having a look at Bro and I'd like first to congratulate people involved in the project for this great work !!!

The concept of contextual signature language seems very interesting, but I'm having a little problem...In fact, I read in the paper "Bro: A System for Detecting Network Intruders in Real-Time" this phrase about REGEX implementation : "Second, we anticipate matching sets of patterns and wanting to know which subset were matched by a given set of text...". I thought I could get the matched substring by the signatures, but unfortunately I can't get out of it...

Is it possible to get these substrings in a policy script when a signature matches, or am I misunderstanding the quoted phrase ???



event signature_match(state: signature_state, msg: string, data: string)

The 'data' parameter of the signature_match event contains the
payload that lead to the match. (More precisely, it contains the
last chunk of payload that eventually triggered the match; for TCP,
it depends on the reassembly what exactly is passed).

Is this what you're looking for?