[Bro] Regarding signatures

Robin Sommer robin at icir.org
Fri Mar 16 15:11:13 PDT 2007


On Fri, Mar 09, 2007 at 17:23 +0530, Ayyappa Suryanarayana T wrote:

> I am having trouble matching same signature for packets in
> different connections,its matching one connection but its not
> matching for another connection but the packets have same payload.

(Sorry for the delay in getting back to this.)

It actually works fine for me:

>cat a.sig 
signature gtalk_test {
 event "gtalk test received"
 payload /\x17\x03\x01/
}
>bro -r jabber-matched.pcap.pcap -s ./a.sig signatures
1165632085.395097 SensitiveSignature 192.168.0.3: gtalk test received
>bro -r jabber-unmatched.pcap.pcap -s ./a.sig signatures
1165670194.604938 SensitiveSignature 216.239.37.125: gtalk test received

What's the command line you're using?

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list