[Bro] How to write a signature definition for (event_A AND event_ B)?
robin at icir.org
Wed Oct 22 14:37:04 PDT 2008
On Tue, Oct 21, 2008 at 21:42 +0000, you wrote:
> Is it possible to write an event expression (A AND B)?
Not directly with the signature language. You can however write a
Bro script (i.e., a script in Bro's primary language) which keeps
track of which signatures have matched so far. This way you can
implement arbitrary dependencies.
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro