[Bro] Signtaure Match for TCP packets.

Jaya Dhanesh dhanesh at tataelxsi.co.in
Tue Nov 6 20:26:13 PST 2007


I have problems in signature matching. I have a signature like:

signature tcp_http {
	dst-port == 80
	event "HTTP Packet"

This should match all packets sent to port 80 including the handshake
packets. But no match was happening when I sent HTTP traffic.

In RuleMatcher::InitEndpoint, the DO_MATCH_OR is called only if 'ip' (IP_Hdr
*ip) is not NULL. For a TCP packet, the
PIA_TCP::DeliverStream calls DoMatch with ip set to 0. This makes sure that
the match doesn't happen for TCP packets with signatures only with
destination ports. Is there any reason for passing a NULL as the last
parameter for DoMatch?


The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments contained in it.

Contact your Administrator for further information.

More information about the Bro mailing list