[Bro] Coustom Signatures

Robin Sommer robin at icir.org
Sat Jul 1 10:46:43 PDT 2006

On Fri, Jun 30, 2006 at 23:39 -0700, Anandraj wrote:

> i did try bro -s ../site/signatures.bro ! there was no response .. i had
> to do a ctrl + c !

Not sure I understand what you did. Where you running Bro on live
traffic (then I suppose you also gave it the interface to listen
on), or on a trace (then, similarly, the command line needs to
include the trace file). 

In general, the best way to debug such signature problems is to
capture a small trace on which the signature should match and then
first make sure that the packets' content indeed look like what the
signature expects (e.g., using tcpdump). If it does, then making the
signature less and less restrictive until it finally matches often
helps to understand what the problem actually is. 


