[Bro] Coustom Signatures

Anandraj anandrajm at fastmail.fm
Fri Jun 30 23:39:14 PDT 2006

Hi all,

For the following signature built-in the ../site/signatures.bro
signature s2b-719-7-BRO { /*a rename from s2b-719-7 to s2b-719-7-BRO  */
  ip-proto == tcp
  src-port == 23
  event "TELNET root login"
  tcp-state established,responder
  payload /.*login\x3A root/

I could find a log in the Signatures-xxx.log

TELNET root login:t::

But when i added the following coustom signature in
i could not find a log in Signatures-xxx.log (The event occured i did a
login as anand )

/*Signature for the event when the user name is anand */
signature telnet_test{
ip-proto == tcp
src-port == 23
event "TELNET anand login"
tcp-state established,responder
payload /.*login: anand/

i did try bro -s ../site/signatures.bro ! there was no response .. i had
to do a ctrl + c !

Could someone help me on this !! 

Thanks ,

http://www.fastmail.fm - Email service worth paying for. Try it for free

More information about the Bro mailing list