In the Apache Metron Project (in the attic now) we used https://github.com/nishihatapalmer/byteseek to do pcap searches, maybe you can check that out.
From: Phil H <[email protected]> <[email protected]> Reply: [email protected] <[email protected]> <[email protected]> Date: March 16, 2022 at 20:04:58 To: [email protected] <[email protected]> <[email protected]> Subject: Re: SplitContent doesn’t support regex? I dunno about a good implementation… I did a similar extension of GetTCP to allow for a regex EOM rather than a single byte. It works, but I don’t feel like it was done in the spirit of the existing processor! On Thu, 17 Mar 2022 at 09:12, Joe Witt <[email protected]> wrote: > Phil > > I'd say if you have a good implementation in mind you should go for it. > Sounds interesting. > > Thanks > > On Wed, Mar 16, 2022 at 3:59 PM Phil H <[email protected]> wrote: > > > Hi, > > > > This seems like an odd omission - aside from performance (presumably?) is > > there a reason why there isn’t a regex option for the byte sequence? I > need > > one but thought I’d ask before I built my own. > > > > Thanks > > Phil > > >
