[Bro] How to write a signature definition for (event_A AND event_ B)?

Bogdan Koziol robtobfli at gmx.net
Tue Oct 21 14:42:19 PDT 2008


Hallo everybody,

I'm a new and unexperienced user of the really interesting BRO detection
framework. I want to write a signature definition for event A and B, which
triggers only after event A and B happend. My approach so far:

signature s1 {event "Pattern A"}

signature s2 {event "Pattern B"
   requires-signature s1
}

If i understood the documentation correctly, i can define an event sequence
with the "requires-signature" condition. 

But this one only matches events (A, B) and not (B, A).

Is it possible to write an event expression (A AND B)?

Kind regards,
 Bogdan.




More information about the Bro mailing list