[Bro-Dev] "event" signature option.

Seth Hall seth at icir.org
Thu Aug 18 07:43:50 PDT 2011

This question is mostly for Robin, but I thought that others could benefit from seeing the answer.

Why does the "event" signature option work like it does?  All it seems to do is give the supplied string to the signature_match event, but you essentially get that same functionality from the signature id that is given to the same event.  It seems to me like you'd provide the name of an event handler to the event option which would then be triggered when the signature matches.  That event handler would also have to take the same arguments as the signature_match event.  It would provide a nice way to skip over the signature->notice support that the signature framework provides since we keep using signatures for things other than direct detection of malicious activity.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list