[Bro] Using a 'OR' condition in Signature payloads
dhanesh at tataelxsi.co.in
Mon Oct 30 19:51:32 PST 2006
>Yes, this should be written instead as:
> payload /.*(abc)|(xyz).*/
>Or, if you want to match "abc" or "xyz" anywhere in the payload, as:
> payload /.*(abc|xyz).*/
I wrote the same pattern in the payload, only the first packet that matches
pattern (either 'abc' or 'xyz')gets logged.
Bro checks for the pattern in each packet, so I should have got logs for all
that has atleast one of the patterns.
More information about the Bro