[Bro] change notice$note to match signature

김희철 hckim at narusec.com
Wed Jun 26 06:47:06 PDT 2013

all the signature notice$note comes out with Signatures::Sensitive_Signature
I want to change the  notice$note to signature ID or custom name

I try to do this by signature_match
but this is not working

if I use testsig.sig in the local.bro, notice comes out find.

do I have to approach from different way?
@load-sigs ./testsig.sig

module test;
#redef signature_files += "testsig.sig";
redef enum Notice::Type += {NAVER.com_found};

event signature_match(state: signature_state, msg: string, data: string){

       if (/naver/ in state$sig_id){
        event Signatures::log_signature(rec: Signatures::Info){
       # print fmt("%s",data);

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130626/c84fd102/attachment.html 

More information about the Bro mailing list