event bro_init() { local testcases = set( "nmap", #Should match something "test nmap", #Should match something "nmap test", #Should match something "test nmap test", #should match something "unmapped_entries", #Should NOT match any of the patterns "test\tnmap", #Should match something "nmap\ttest", #Should match something "test\tnmap\ttest" #Should match something ); local nmap_patterns = vector( / nmap /, #Works, but what if it's non-space whitespace, eg '\t'? /^nmap /, / nmap$/, /^nmap$/, /\bnmap\b/, #doesn't seem to match word boundaries as expected /\/, #doesn't seem to match word boundaries as expected /[ \t]nmap$/, #this works, but I have to anticipate which whitespace chars will be used /^nmap[ \t]/, #this works, but I have to anticipate which whitespace chars will be used /[ \t]nmap[ \t]/ #this works, but I have to anticipate which whitespace chars will be used #I wanted to try this one involving negative lookahead and negative lookbehind, but it won't even compile #/(?!\s)/ #probably won't work; not sure if \s means what I think, and negative lookarounds are hard to get right... ); for (testcase in testcases) { print fmt("Testcase: \"%s\"", testcase); for (pi in nmap_patterns) { if ( nmap_patterns[pi] in testcase ) { print fmt(" Pattern: %s - Matched", nmap_patterns[pi]); } else { print fmt(" Pattern: %s - Did NOT match", nmap_patterns[pi]); } } } }