[Bro] raw bytes question

Seth Hall hall.692 at osu.edu
Thu Apr 16 10:19:07 PDT 2009

Hi Tim,

On Apr 16, 2009, at 12:13 PM, Tim Rupp wrote:

> Is there an event I can hook that would allow me to do a regex on the
> raw bytes of a packet if I knew the hex pattern of the bytes I want to
> match?

If you want an example of working with signatures and policy script, I  
went ahead and added a script for detecting SSN leakage that works by  
having a signature that is subsequently handled in policy script.  It  
uses a list of known US SSNs for your organization and filters out  
false positives by using that list.  We've caught quite a few minor  
violations with this script since we started running it.

Here's the policy script:

The corresponding signature definition file is here:

Let me know if you have any problems understanding what's happening  
between the signature definition and the policy script.  That simple  
interaction is a little muddied by the rest of the script.


Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list