[Bro] Several protosig questions
robin at icir.org
Wed Oct 26 15:47:10 PDT 2016
On Mon, Oct 24, 2016 at 13:53 -0600, James Lay wrote:
> But the same results as above in conn.log. So I guess that's a feature
> request? To hard define either a first rule that matches gets logged, or
> the last rule that matches gets logged.
It's a feature, not a bug. :) The signature engine always reports all
matches, actually with the intention to *not* make order matter. What
you could do is add logic in scriptland that selects which match to
continue working with, based on some scheme you come up with (like
having a table of signature names map to priorities).
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro