[Bro] Protosig question, round 2

Jan Grashöfer jan.grashoefer at gmail.com
Fri Nov 4 16:32:47 PDT 2016

>From https://www.bro.org/sphinx/frameworks/signatures.html:
> Note that the IP-in-IP forms of tunneling are automatically decapsulated by default and signatures apply to only the inner-most packet [...]

>From time to time people want to attach analyzers at layer 2, which
isn't possible at the moment. Maybe once this part of Bro sees an
update, signatures and custom decapsulation analyzers can be integrated.
But that's a question for the devs.


More information about the Bro mailing list