[Bro] Clarification reg signatures

Jaya Dhanesh dhanesh at tataelxsi.co.in
Thu Mar 1 20:15:01 PST 2007

Hi all,

I have a clarification regarding writing signatures. I want to check only
the first
4 bytes of the tcp payload.

I tried using
signature payload-3 {
	ip-proto == tcp
	event "First three bytes matched"

This signature didn't match. Can anyone suggest how to compare the first 'n'
bytes of
the payload?

I also saw patterns like payload/{4}reg-exp/ in signatures file. What do
they imply?


More information about the Bro mailing list