Added documentation for the pattern data type as well as btests for time, interval, and pattern.

2025-10-13 03:58:20 +00:00 · 2013-02-25 01:12:07 -05:00 · 2013-02-25 01:12:07 -05:00 · b53f701ffe
commit b53f701ffe
parent 1724784aad
9 changed files with 107 additions and 0 deletions
--- a/doc/user-manual/scripting.rst
+++ b/doc/user-manual/scripting.rst
@ -371,3 +371,27 @@ This time, when we execute the script we see an additional line in the output to

    @TEST-EXEC: btest-rst-cmd bro  -r ${TRACES}/wikipedia.trace ${TESTBASE}/doc/manual/data_type_interval.bro

+Pattern
+~~~~~~~
+
+Bro has support for fast text searching operations using regular expressions and even goes so far as to declare a native data type for the patterns used in regular expressions.  A pattern constant is created by enclosing text within the forward slash characters.  Bro supports syntax very similar to the flex lexical analyzer syntax.  The most common use of patterns in Bro you are likely to come across is embedded matching using the ``in`` operator.  Embedded matching adheres to a strict format, requiring the regular expression or pattern constant to be on the left side of the ``in`` operator and the string against which it will be tested to be on the right.
+
+.. rootedliteralinclude:: ${BRO_SRC_ROOT}/testing/btest/doc/manual/data_type_pattern_01.bro
+   :language: bro
+   :linenos:
+   :lines: 4-13
+
+In the sample above, two local variables are declared to hold our sample sentence and regular expression.  Our regular expression in this case will return true if the string contains either the word "quick" or the word "fox."  The ``if`` statement on line six uses embedded matching and the ``in`` operator to check for the existence of the pattern within the string.  If the statement resolves to true, split is called to break the string into separate pieces.  Split takes a string and a pattern as its arguments and returns a table of strings indexed by a count.  Each element of the table will be the segments before and after any matches against the pattern but excluding the actual matches.  In this case, our pattern matches twice, and results in a table with three entries.  Lines 11 through 13 print the contents of the table in order.  
+
+.. btest:: data_type_subnets
+    @TEST-EXEC: btest-rst-cmd bro ${TESTBASE}/doc/manual/data_type_pattern_01.bro
+
+Patterns can also be used to compare strings using equality and inequality operators through the ``==`` and ``!=`` operators respectively. When used in this manner however, the string must match entirely to resolve to true.  For example, the script below uses two ternary conditional statements to illustrate the use of the ``==`` operators with patterns.  On lines 5 and 8 the output is altered based on the result of the comparison between the pattern and the string.  
+
+.. rootedliteralinclude:: ${BRO_SRC_ROOT}/testing/btest/doc/manual/data_type_pattern_02.bro
+   :language: bro
+   :linenos:
+   :lines: 4-13
+
+.. btest:: data_type_subnets
+    @TEST-EXEC: btest-rst-cmd bro ${TESTBASE}/doc/manual/data_type_pattern_02.bro
--- a/testing/btest/Baseline/doc.manual.data_type_interval/.stdout
+++ b/testing/btest/Baseline/doc.manual.data_type_interval/.stdout
@ -0,0 +1,15 @@
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+     Time since last connection: 132.0 msecs 97.0 usecs
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+     Time since last connection: 177.0 usecs
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+     Time since last connection: 2.0 msecs 177.0 usecs
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+     Time since last connection: 33.0 msecs 898.0 usecs
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+     Time since last connection: 35.0 usecs
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3
+     Time since last connection: 2.0 msecs 532.0 usecs
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.2
+     Time since last connection: 7.0 msecs 866.0 usecs
--- a/testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout
+++ b/testing/btest/Baseline/doc.manual.data_type_pattern_01/.stdout
@ -0,0 +1,3 @@
+The 
+ brown fox jumped over the 
+ dog.
--- a/testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout
+++ b/testing/btest/Baseline/doc.manual.data_type_pattern_02/.stdout
@ -0,0 +1,2 @@
+equality and /^?(equal)$?/ are not equal
+equality and /^?(equality)$?/ are equal
--- a/testing/btest/Baseline/doc.manual.data_type_time/.stdout
+++ b/testing/btest/Baseline/doc.manual.data_type_time/.stdout
@ -0,0 +1,8 @@
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.118^J
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.3^J
+2011/06/18 19:03:08:  New connection established from 141.142.220.118 to 208.80.152.2^J
--- a/testing/btest/doc/manual/data_type_interval.bro
+++ b/testing/btest/doc/manual/data_type_interval.bro
@ -0,0 +1,20 @@
+# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+# Store the time the previous connection was established.
+global last_connection_time: time;
+
+# boolean value to indicate whether we have seen a previous connection.
+global connection_seen: bool = F;
+
+event connection_established(c: connection)
+	{
+    local net_time: time  = network_time();
+    print fmt("%s:  New connection established from %s to %s", strftime("%Y/%M/%d %H:%m:%S", net_time), c$id$orig_h, c$id$resp_h);
+    if (connection_seen)
+        {
+        print fmt("     Time since last connection: %s", net_time - last_connection_time);
+        }
+    last_connection_time = net_time;
+    connection_seen = T;
+	}
--- a/testing/btest/doc/manual/data_type_pattern_01.bro
+++ b/testing/btest/doc/manual/data_type_pattern_01.bro
@ -0,0 +1,14 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+    {
+    local test_string = "The quick brown fox jumped over the lazy dog.";
+    local test_pattern = /quick|lazy/;
+    
+    if (test_pattern in test_string)
+        local results = split(test_string, test_pattern);
+        print results[1];
+        print results[2];
+        print results[3];
+    }
--- a/testing/btest/doc/manual/data_type_pattern_02.bro
+++ b/testing/btest/doc/manual/data_type_pattern_02.bro
@ -0,0 +1,14 @@
+# @TEST-EXEC: bro %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event bro_init()
+    {
+    local test_string = "equality";
+
+    local test_pattern = /equal/;
+    print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
+    
+    test_pattern = /equality/;
+    print fmt("%s and %s %s equal", test_string, test_pattern, test_pattern == test_string ? "are" : "are not");
+    }
+
--- a/testing/btest/doc/manual/data_type_time.bro
+++ b/testing/btest/doc/manual/data_type_time.bro
@ -0,0 +1,7 @@
+# @TEST-EXEC: bro -b -r $TRACES/wikipedia.trace %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event connection_established(c: connection)
+	{
+    print fmt("%s:  New connection established from %s to %s\n", strftime("%Y/%M/%d %H:%m:%S", network_time()), c$id$orig_h, c$id$resp_h);
+	}