Bro <-> Snort documentation
Jim Mellander
jmellander at lbl.gov
Fri Jul 11 15:34:26 PDT 2003
I sent this to Vern, but thought a wider audience might be interested,
or have some answers.
Thanks Vern:
I'm planning on using the snort engine to extend KO (Kazaa
Obliterator). It looks like I could use a policy script like this:
signature kazaa-seen {
ip-proto == tcp
dst-ip == whatever
dst-port == whatever (or omitted, I guess)
payload /.*kazaa regular expression/
eval function_to_execute_when_kazaa_seen
event "kazaa seen"
}
The 'eval' & the 'event' are somewhat confusing. I presume that the
'signature_match' event is triggered with the string for action, but
when is the 'eval' called (before the event, or after), and with what
args? Presumably the connection information is available. I haven't
seen any running examples of the signature event. Do you have some
examples?
Thanks.
--
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204
Your fortune for today is:
The longest part of the journey is said to be the passing of the gate.
-- Marcus Terentius Varro
More information about the Bro
mailing list