Add find_first string function

src/script_opt/FuncInfo.cc

@@ -265,6 +265,7 @@ static std::unordered_map<std::string, unsigned int> func_attrs = {
     {"find_entropy", ATTR_FOLDABLE},
     {"find_in_zeekpath", ATTR_IDEMPOTENT}, // can error
     {"find_last", ATTR_FOLDABLE},
+    {"find_first", ATTR_FOLDABLE},
     {"find_str", ATTR_FOLDABLE},
     {"floor", ATTR_FOLDABLE},
     {"flush_all", ATTR_NO_SCRIPT_SIDE_EFFECTS},

src/strings.bif

@@ -1107,6 +1107,30 @@ function find_last%(str: string, re: pattern%) : string
 	return zeek::val_mgr->EmptyString();
 	%}
 
+## Finds the first occurrence of a pattern in a string.
+##
+## str: The string to inspect.
+##
+## re: The pattern to look for in *str*.
+##
+## Returns: The first string in *str* that matches *re*, or the empty string.
+##
+## .. zeek:see:: find_all find_all_ordered find_last strstr
+function find_first%(str: string, re: pattern%) : string
+	%{
+	const u_char* s = str->Bytes();
+	const u_char* e = s + str->Len();
+
+	for ( const u_char* t = s; t < e; ++t )
+		{
+		int n = re->MatchPrefix(t, e - t);
+		if ( n >= 0 )
+			return zeek::make_intrusive<zeek::StringVal>(n, (const char*) t);
+		}
+
+	return zeek::val_mgr->EmptyString();
+	%}
+
 ## Returns a hex dump for given input data. The hex dump renders 16 bytes per
 ## line, with hex on the left and ASCII (where printable)
 ## on the right.

testing/btest/bifs/find_first.zeek

@@ -0,0 +1,16 @@
+# @TEST-EXEC: zeek -b %INPUT >out
+# @TEST-EXEC: btest-diff out
+
+event zeek_init()
+	{
+	local a = "this is a test";
+	local pat = /hi|es/;
+	local pat2 = /aa|bb/;
+
+	local b = find_first(a, pat);
+	local b2 = find_first(a, pat2);
+
+	print b;
+	print "-------------------";
+	print |b2|;
+	}