[Bro] Using a 'OR' condition in Signature payloads

Vern Paxson vern at icir.org
Tue Oct 31 00:32:27 PST 2006

> 	payload /.*(abc) | (xyz).*/
> }
> When I run Bro with this signature, I was able to see a log for the packet
> that matches the pattern first.i.e., the packet with
> abc or xyz (whichever comes first) gets logged and the rest doesn't generate
> a log.
> Only one pattern matches always and the others go unnoticed.
> Is there anything wrong in writing the 'OR' condition?

I believe what's going on is that "payload" is matching the TCP *byte-stream*
rather than individual packets.  As such, there's just one match to the
pattern, since the .*'s eat up everything else in the byte-stream.

There's an option to just match packet payloads, but I don't recall what
it is.  I've cc'd Robin since he's the expert on the signature engine.


More information about the Bro mailing list