Bro <-> Snort documentation
Vern Paxson
vern at icir.org
Sun Jul 13 12:02:48 PDT 2003
> signature kazaa-seen {
> ip-proto == tcp
> dst-ip == whatever
> dst-port == whatever (or omitted, I guess)
> payload /.*kazaa regular expression/
> eval function_to_execute_when_kazaa_seen
> event "kazaa seen"
> }
>
>
> The 'eval' & the 'event' are somewhat confusing. I presume that the
> 'signature_match' event is triggered with the string for action, but
> when is the 'eval' called (before the event, or after), and with what
> args?
The function specified by "eval" is called before the signature is determined
to have triggered. It's passed in the signature_state just as is
signature_match. It returns a boolean, which must be T for the signature
to trigger.
For an example, see sig.ex.ssl-worm.bro and policy/ssl-worm.bro.
Vern
More information about the Bro
mailing list