Patterns and Word Boundaries

Lloyd_Brown · October 22, 2015, 3:05pm

Hopefully this isn't too simplistic of a question, but I'm just getting
started with Bro.

In the text pattern syntax for Bro [1], is there an easy way to define
word boundaries, similar to how some of the RegEx dialects use '\b',
'\<', '\>', etc.? [2]

I'm trying to match for specific strings in a data stream. For example,
the word "nmap". I'm trying several approaches, based on past RegEx
knowledge, and I'm having trouble coming up with a single pattern that
would handle it all. Example bro test script attached; hopefully it's
clear.

Fundamentally, is there a syntax reference for pattern matching, or does
it conform to a commonly known dialect (eg. POSIX-style RegEx, or PCRE
RegEx)?

[1] https://www.bro.org/sphinx/scripting/index.html#pattern
[2] Regex Tutorial - \b Word Boundaries

patterns.wordboundary.testcase.bro (1.47 KB)

Samuel_Oehlert · October 22, 2015, 4:03pm

I know Bro’s regex syntax is almost exactly the same as Flex (only differing in some very edge cases). I am not positive, but from a cursory google it seems Flex doesn’t understand word boundaries.

-Sam

Lloyd_Brown · October 22, 2015, 5:08pm

Well, okay. From what I can tell experimentally, it doesn't have
working shortcuts like "\s" or "[:space:]" either, so I guess I'm left
to do it more like *this* attachment.

Unless I'm missing something obvious. I'd be happy to be wrong on this one.

Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

patterns.wordboundary.testcase.bro (889 Bytes)

robin · October 22, 2015, 6:40pm

It does actually support the standard "[:...:]" cases.

Robin

Lloyd_Brown · October 22, 2015, 9:32pm

For future list-viewers, yes, I was missing something obvious. The word
boundaries are genuinely missing, but I was using the shortcuts like
'[:space:]' incorrectly.

In short, '[:space:]' and others like it, are not character classes
themselves, but they can exist in a character class. The '[:space:]' is
not the equivalent of '[ \f\n\r\t\v]', but '[[:space:]]' is.

Thanks for the feedback on this, Robin. Sorry for the unnecessary list
noise.

Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University
http://marylou.byu.edu

Daniel_Guerra · October 22, 2015, 10:56pm

Have you read this ??

http://flex.sourceforge.net/manual/Patterns.html

Regex != Flex

Lloyd_Brown · October 22, 2015, 11:03pm

Yes. I had seen that. And I just missed the double-bracket detail.

Having said that, this looks to me like as much of a RegEx dialect as
any other. Those extended shortcuts like I've been referring to are
reasonably common, but not required. And the first sentence on that
page even says the following:

The patterns in the input ... are written using an extended set of regular expressions.

So Flex and RegEx at least share a lot of features and syntax. Whether
or not it's truly RegEx, seems like a purely semantic discussion.

Lloyd Brown
Systems Administrator
Fulton Supercomputing Lab
Brigham Young University

Topic		Replies	Views
Bro regex documentation Zeek	6	107	May 6, 2022
Query regarding pattern match Zeek	4	74	May 6, 2022
Questions on regular expression syntax in BRO system Zeek	1	90	May 6, 2022
Questions on regular expression syntax in BRO system Zeek	1	84	May 6, 2022
Regarding pattern matching in bro Zeek	1	104	May 6, 2022

Patterns and Word Boundaries

Related topics