On Tue, 20 May 2003, Ethan Sommer wrote:

Nope. I need to strip out all the nulls from the packet, or any posix
regex parser will think the string ends at the first null. (so protocols
which use null's will be difficult/impossible to identify)

Ok, i see your dilema. How does snort do it? I dont think copying the
packet is the right way to do it. Could the null NOT be considered as
something speacial unless explicitly stated?

I could modify the regexec function to take a length, but then it
wouldn't be the posix regexec prototype and I was hopeing someone would
add those to the common library of kernel functions, so others could use
them. (and hence make it easier to maintain.)

This would be the first start. Check with the netfilter folks who are
famous for creating bread slicers - they may already have something along
these lines.
I am actually  interested in the kernel variant of such a
library. Actually once you have the library (which is efficient) we could
work together. I have some stuff cooking (and lotsa opinions on what i
would like to see in it that you could consider as requirements).

cheers,
jamal