From trinhtuan at hn.vnn.vn  Fri Dec  1 02:51:09 2000
From: trinhtuan at hn.vnn.vn (Trinh Anh Tuan)
Date: Fri, 1 Dec 2000 17:51:09 +0700
Subject: About event queue !
Message-ID: <001e01c05b84$cb284ac0$051a19ac@netmon.cfti.edu.vn>

Hello,

It seems very hard for me to understand the event queue mechanism in Bro, unfortunately, it is very important part in packet processing.
Does any body can drop me hints? Descriptions? Schema?...

Many thanks to all responses.
--------------------------------------------------------------------------------------
Trinh Anh Tuan
CMO/CFTI - Institute of Technology Research & Application
Ministry of Science, Technology and Environment
Tel: (84-4) 8541197
Fax: (84-4) 8548187
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20001201/45893d79/attachment.html 

From trinhtuan at hn.vnn.vn  Wed Dec 20 02:48:15 2000
From: trinhtuan at hn.vnn.vn (Trinh Anh Tuan)
Date: Wed, 20 Dec 2000 17:48:15 +0700
Subject: Pattern matching ?
Message-ID: <001201c06a72$6fca0360$051a19ac@netmon.cfti.edu.vn>

Hello,

It seem to be hard to do pattern-matching in Bro to find out a pattern in
normal packets (packets that don't init/terminate an event; or aren't in
part of protocol's command like "STOR xxx" in FTP but in content of file
xxx). For example, I want to alert any attemp of using command "su" on a
Telnet session; alert if any file uploaded via FTP that contains pattern of
a Worm...

Am I right if I say Bro only pays attention to "special" packets like those
above? If I'm not, please, drop me an example of policy script for the
Telnet case mentioned above./.

Hope to receive yours reply soon.

PS: I'm using Bro v0.6
----------------------------------------------------------------------------
----------
Trinh Anh Tuan
CMO/CFTI - Institute of Technology Research & Application
Ministry of Science, Technology and Environment
Tel: (84-4) 8541197
Fax: (84-4) 8548187