[Bro] How to change the situation that BRO signature only match once at most
2015223040113 at stu.scu.edu.cn
Sun Mar 25 19:16:51 PDT 2018
I have recently worked on some BRO-ID works, that is, I want to intercept some REST messages from net interface using signatures, and I found that I can only intercept a part of all of the messages, for example, I can use tshark to intercept, let's say, 100 messages, but with BRO, there is only 50. And I have read the official document that says, "Each signature is reported at most once for every connection, further matches of the same signature are ignored". I just want to know is their any chance to change this situation? or did I configure something wrong?
Sherry from China
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro