[Bro] Signatur match issue with Bro 1.2.1

SRIRANJAN. sriranjan.u at gmail.com
Thu Apr 19 23:40:37 PDT 2007

I am facing issue with signature match for the traffic without handshake

I wrote following signature

signature ftp_220response {
        ip-proto == tcp
        payload /[\n\r ]*(120|220)[^0-9].*\r\n/
        event "FTP Response 220 matched"

this signature match will happen for the traffic with initial SYN,SYN-ACK,
and ACK followed by the 220 response FTP packet,

but if I gave the traffic without the initial handshakes (i.e. only the 220
response FTP packet ) the same signature will not match, but the signature
without line "ip-proto == tcp" will work i.e.

signature ftp_220response {
        payload /[\n\r ]*(120|220)[^0-9].*\r\n/
        event "FTP Response 220 matched"

the above signature will work for the both the cases(with  and without
handshake packets), but i am curious to know why the signatures with the
line "ip-proto == tcp" will not work for the asymmetric case.
is it the desired way of working??

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070420/e93c314f/attachment.html 

More information about the Bro mailing list