[Bro] How to change the situation that BRO signature only match once at most

李雪莉 2015223040113 at stu.scu.edu.cn
Sun Mar 25 19:16:51 PDT 2018

Hi, everyone,
I have recently worked on some BRO-ID works, that is, I want to intercept some REST messages from net interface using signatures, and I found that  I can only intercept a part of all of the messages, for example, I can use tshark to intercept, let's say, 100 messages, but with BRO, there is only 50. And I have read the official document that says, "Each signature is reported at most once for every connection, further matches of the same signature are ignored". I just want to know is their any chance to change this situation? or did I configure something wrong?

Sherry from China
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180326/b5dcdef0/attachment.html 

More information about the Bro mailing list