Next: , Previous: Strings, Up: Strings



3.5.1 String Constants

You create string constants by enclosing text within double (") quotes. A backslash character (\) introduces an escape sequence. The following ANSI C escape sequences are recognized: FIXME the 8-bit ASCII character with code hex-digits. Bro string constants currently cannot be continued across multiple lines by escaping newlines in the input. This may change in the future. Any other character following a \ is passed along literally.

Unlike in C, strings are represented internally as a count and a vector of bytes, rather than a NUL-terminated series of bytes. This difference is important because NULs can easily be introduced into strings derived from network traffic, either by the nature of the application, inadvertently, or maliciously by an attacker attempting to subvert the monitor. An example of the latter is sending the following to an FTP server:

         USER nice\0USER root

where “\0” represents a NUL. Depending on how it is written, the FTP application receiving this text might well interpret it as two separate commands, “USER nice” followed by “USER root”. But if the monitoring program uses NUL-terminated strings, then it will effectively see only “USER nice” and have no opportunity to detect the subversive action.

Note that Bro string constants are automatically NUL-terminated.

Note: While Bro itself allows NULs in strings, their presence in arguments to many Bro functions results in a run-time error, as often their presence (or, conversely, lack of a NUL terminator) indicates some sort of problem (particularly for arguments that will be passed to C functions). See XXX for discussion.