On Thu, Jun 21, 2018 at 4:25 PM Vern Paxson <vern(a)corelight.com> wrote:
though maybe p1 + p2 would be even better at
concatenation is happening?
I think this is somewhat problematic, since '+' already has a
regular-expression meaning which is different. In addition, '&' is
a more natural dual to '|' than '+' is.
Yeah, agree w/ that.
Interestingly, I discovered that we have a BIF
merge_pattern(p1, p2) which
does the same thing as "p1 & p2" (in the new syntax). As best as I can
tell it's not used anywhere - plus it's funky (only allows itself to be
called if Bro isn't processing traffic yet). Perhaps we can deprecate it, too?
If there actually is no (longer) problems with concatenating patterns
at run-time, I'd agree to deprecate.
I'm imagine it existed because there was such a problem with
dynamically creating patterns at run-time, but don't know/remember
what it was.