I am testing string comparison with BRO, and got some runtime errors. Hope you guys could take a look and give me some hints.
For example i have two strings, let's say str_A and str_B, str_A is sort of a pattern, like: str_A = "\x13\x02\xf0\x80";
And str_B is a payload(contents) string from the function:
event tcp_packet(c: connection, is_orig: bool, flags: string, seq: count, ack: count, len: count, contents: string)
I compared the two of the strings with: if(str_A in str_B), which reduced the runtime errors like:
1467860547.182543 error: string with embedded NUL: "\x13\x00\xf0\x13"
1467860547.182543 error: string without NUL terminator: "\x13\x00\xf0\x13\x02\xf0\x80\x02\x00\x00\xc0\x01\x00\x00\x00\x00\x87\x02"
It looks like the 'x00' in the middle of the pattern string was considered as a terminator, and for the latter there wasn't a NUL at the end of the str_B.
So the (silly) question is how i could append a NUL at the end of str_B within BRO? and how to make BRO ignore the embeded NUL in the middle of a string when comparing? Many Thanks.
