signature match bug

I found this comment in RuleMatcher.cc.

// - Sometimes, the signature match event is generated after a
// connection_finished (or similar) event. Using the default ru
les.bro,
// this means that we will not see the rule id in the connectio
n summary.

I wanted to fix this bug. Can somebody tell me what's the basic problem
here... and any hints on the approach?

I'm new to Bro regex matching code... so any documentation in
understanding how Bro regex matching works would help too.

thanks
-y

Hmm... I think the comment is out of date. These days the connection
summaries are generated by a connection_state_remove() handler in
conn.bro. I don't think a signature_match can be generated *after*
the connection_state_remove event (which is raised when the internal
connection state is flushed). So, seems there's nothing to fix. :slight_smile:

Robin