You create string constants by enclosing text within double ("
) quotes.
A backslash character (\
)
introduces an escape sequence. The following ANSI C escape
sequences are recognized:
FIXME
the 8-bit ASCII character with code hex-digits.
Bro string constants currently cannot be continued across
multiple lines by escaping newlines in the input. This may change
in the future.
Any other character following a \
is passed along literally.
Unlike in C, strings are represented internally as a count and a vector of bytes, rather than a NUL-terminated series of bytes. This difference is important because NULs can easily be introduced into strings derived from network traffic, either by the nature of the application, inadvertently, or maliciously by an attacker attempting to subvert the monitor. An example of the latter is sending the following to an FTP server:
USER nice\0USER root
where “\0
” represents a NUL. Depending on how it is written,
the FTP application receiving this text might well interpret it as
two separate commands, “USER nice
” followed by “USER root
”.
But if the monitoring program uses NUL-terminated strings, then it
will effectively see only “USER nice
” and have no opportunity
to detect the subversive action.
Note that Bro string constants are automatically NUL-terminated.
Note: While Bro itself allows NULs in strings, their presence in arguments to many Bro functions results in a run-time error, as often their presence (or, conversely, lack of a NUL terminator) indicates some sort of problem (particularly for arguments that will be passed to C functions). See XXX for discussion.