[Bro] Using a 'OR' condition in Signature payloads
Jaya Dhanesh
dhanesh at tataelxsi.co.in
Mon Oct 30 19:02:56 PST 2006
Hi All,
I was trying to implement an 'OR' condition in the signature payload to
match either of the two patterns
given in payload.
For example:
signature abc-21 {
ip-proto == tcp
. . . .
. . . .
payload /.*(abc) | (xyz).*/
}
When I run Bro with this signature, I was able to see a log for the packet
that matches the pattern first.i.e., the packet with
abc or xyz (whichever comes first) gets logged and the rest doesn't generate
a log.
Only one pattern matches always and the others go unnoticed.
Is there anything wrong in writing the 'OR' condition?
Thanks in advance,
Dhanesh.
More information about the Bro
mailing list