[Bro] Several protosig questions

Robin Sommer robin at icir.org
Wed Oct 26 15:47:10 PDT 2016



On Mon, Oct 24, 2016 at 13:53 -0600, James Lay wrote:

> But the same results as above in conn.log.  So I guess that's a feature
> request?  To hard define either a first rule that matches gets logged, or
> the last rule that matches gets logged.

It's a feature, not a bug. :) The signature engine always reports all
matches, actually with the intention to *not* make order matter. What
you could do is add logic in scriptland that selects which match to
continue working with, based on some scheme you come up with (like
having a table of signature names map to priorities).

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin


More information about the Bro mailing list