simple pattern question

[Terry Barker]

I'm a Bro newbie, so please forgive me if this is a trivial question. I'm experimenting with the signature module and did the following simple test: Using the file "ntp-attack.trace" in the example-attacks directory in the bro-pub-0.8a86 release. I used this signature file

_________________________
signature testsig {
payload /version/	
event "signature_match"
}

_________________________

The word "version" occurs several times in the payloads in this file, as can be seen using tcpdump -X.

This is the policy file I used (simplified from signatures.bro in the policy directory).

_________________________

global sig_file = open_log_file("signatures");

event signature_match(state: signature_state, msg: string, data: string)
{   
    local id = state$id;
    local esc = escape_string(data);

    if ( byte_len(esc) > 20 )
            esc = fmt( "%s...", sub_bytes(esc, 0, 20) );

     print sig_file, fmt("SIGFILE %f %s/%d %s %s/%d %s %s [%s] %s", network_time(),
        state$conn$id$orig_h, state$conn$id$orig_p, state$is_orig ? ">" : "<",
        state$conn$id$resp_h, state$conn$id$resp_p, state$id, msg, esc, data );
     print fmt("SIGH %f %s [%s] %s", network_time(), msg, esc, data );
}

_________________________


When I run Bro with these files (and with no other policy files), there appear to be no matches. If instead, I match on the dst-ip, , i.e. using this signature file
_________________________

signature testsig {
    dst-ip == 128.3.9.239
    event "signature_match"
}
_________________________

I get the desired result (the correct connections are caught). Is something else required for the pattern feature?
Thanks,
	Terry Barker