Bro <-> Snort documentation

Jim Mellander jmellander at
Fri Jul 11 15:34:26 PDT 2003

I sent this to Vern, but thought a wider audience might be interested,
or have some answers.

Thanks Vern:

I'm planning on using the snort engine to extend KO (Kazaa
Obliterator).  It looks like I could use a policy script like this:

signature kazaa-seen {
	ip-proto == tcp
	dst-ip == whatever
	dst-port == whatever (or omitted, I guess)
	payload /.*kazaa regular expression/
	eval function_to_execute_when_kazaa_seen
	event "kazaa seen"

The 'eval' & the 'event' are somewhat confusing.  I presume that the
'signature_match' event is triggered with the string for action, but
when is the 'eval' called (before the event, or after), and with what
args? Presumably the connection information is available.  I haven't
seen any running examples of the signature event.  Do you have some


Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

Your fortune for today is:

The longest part of the journey is said to be the passing of the gate.
		-- Marcus Terentius Varro

More information about the Bro mailing list