base/utils/patterns.zeek

GLOBAL

Functions for creating and working with patterns.

Namespace:GLOBAL

Summary

Functions

match_pattern: function Matches the given pattern against the given string, returning a PatternMatchResult record.
set_to_regex: function Given a pattern as a string with two tildes (~~) contained in it, it will return a pattern with string set’s elements OR’d together where the double-tilde was given.

Detailed Interface

Types

PatternMatchResult
Type:

record

matched: bool

T if a match was found, F otherwise.

str: string

Portion of string that first matched.

off: count

1-based offset where match starts.

Functions

match_pattern
Type:function (s: string, p: pattern) : PatternMatchResult

Matches the given pattern against the given string, returning a PatternMatchResult record. For example: match_pattern("foobar", /o*[a-k]/) returns [matched=T, str=f, off=1], because the first match is for zero o’s followed by an [a-k], but match_pattern("foobar", /o+[a-k]/) returns [matched=T, str=oob, off=2].

S:a string to match against.
P:a pattern to match.
Returns:a record indicating the match status.
set_to_regex
Type:function (ss: set [string], pat: string) : pattern

Given a pattern as a string with two tildes (~~) contained in it, it will return a pattern with string set’s elements OR’d together where the double-tilde was given. Examples:

global r1 = set_to_regex(set("a", "b", "c"), "~~");
# r1 = /^?(a|b|c)$?/
global r2 = set_to_regex(set("a.com", "b.com", "c.com"), "\\.(~~)");
# r2 = /^?(\.(a\.com|b\.com|c\.com))$?/
Ss:a set of strings to OR together.
Pat:the pattern containing a “~~” in it. If a literal backslash is included, it needs to be escaped with another backslash due to Zeek’s string parsing reducing it to a single backslash upon rendering.
Returns:the input pattern with “~~” replaced by OR’d elements of input set.