[Bro] Bro signatures

Rodrigue ALAHASSA rodrigue.alahassa at gmail.com
Sat Oct 22 09:45:05 PDT 2011


I get a little confused about content conditions for Bro signature. I'm
working to automate generation of signature compliant with Bro.

I would like to know how Bro behaves in two cases. I tried to provide many
content-conditions for one signature. Let's say that I want to detect the
following patterns in a stream (just some examples):

1- common
2- attack
3- vulnerabilities

If i use the following condition, it will detect all occurrences of common
followed by attack and vulnerabilities,

payload /.*common.*attack.*vulnerabilities.*/

What if I use a combination of those expressions:

payload /*common.*attack.*/
payload /*vulnerabilities*/

I looked around, but did not find anything to help me understand how the
signature engine will behave in these cases.

Thanks in advance for your help.


161 POL
Professeur Georges LEMAITRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111022/62632dd3/attachment.html 

More information about the Bro mailing list