[Bro] Regarding signatures
Robin Sommer
robin at icir.org
Fri Mar 16 15:11:13 PDT 2007
On Fri, Mar 09, 2007 at 17:23 +0530, Ayyappa Suryanarayana T wrote:
> I am having trouble matching same signature for packets in
> different connections,its matching one connection but its not
> matching for another connection but the packets have same payload.
(Sorry for the delay in getting back to this.)
It actually works fine for me:
>cat a.sig
signature gtalk_test {
event "gtalk test received"
payload /\x17\x03\x01/
}
>bro -r jabber-matched.pcap.pcap -s ./a.sig signatures
1165632085.395097 SensitiveSignature 192.168.0.3: gtalk test received
>bro -r jabber-unmatched.pcap.pcap -s ./a.sig signatures
1165670194.604938 SensitiveSignature 216.239.37.125: gtalk test received
What's the command line you're using?
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list