[Bro] Coustom Signatures

Anandraj anandrajm at fastmail.fm
Fri Jun 30 23:39:14 PDT 2006


Hi all,

For the following signature built-in the ../site/signatures.bro
signature s2b-719-7-BRO { /*a rename from s2b-719-7 to s2b-719-7-BRO  */
  ip-proto == tcp
  src-port == 23
  event "TELNET root login"
  tcp-state established,responder
  payload /.*login\x3A root/
}

I could find a log in the Signatures-xxx.log

1151508123.667965:SensitiveSignature:10.50.27.117:23/tcp:10.50.25.122:2089/tcp:s2b-719-7-BRO:10.50.27.117:
TELNET root login:t::

But when i added the following coustom signature in
../site/signatures.bro
i could not find a log in Signatures-xxx.log (The event occured i did a
login as anand )

/*Signature for the event when the user name is anand */
signature telnet_test{
ip-proto == tcp
src-port == 23
event "TELNET anand login"
tcp-state established,responder
payload /.*login: anand/
}

i did try bro -s ../site/signatures.bro ! there was no response .. i had
to do a ctrl + c !

Could someone help me on this !! 

Thanks ,
Anand

-- 
http://www.fastmail.fm - Email service worth paying for. Try it for free




More information about the Bro mailing list