Pattern matching ?
Trinh Anh Tuan
trinhtuan at hn.vnn.vn
Wed Dec 20 02:48:15 PST 2000
Hello,
It seem to be hard to do pattern-matching in Bro to find out a pattern in
normal packets (packets that don't init/terminate an event; or aren't in
part of protocol's command like "STOR xxx" in FTP but in content of file
xxx). For example, I want to alert any attemp of using command "su" on a
Telnet session; alert if any file uploaded via FTP that contains pattern of
a Worm...
Am I right if I say Bro only pays attention to "special" packets like those
above? If I'm not, please, drop me an example of policy script for the
Telnet case mentioned above./.
Hope to receive yours reply soon.
PS: I'm using Bro v0.6
----------------------------------------------------------------------------
----------
Trinh Anh Tuan
CMO/CFTI - Institute of Technology Research & Application
Ministry of Science, Technology and Environment
Tel: (84-4) 8541197
Fax: (84-4) 8548187
More information about the Bro
mailing list