[Bro] Using a 'OR' condition in Signature payloads

Jaya Dhanesh dhanesh at tataelxsi.co.in
Mon Oct 30 19:02:56 PST 2006


Hi All,

I was trying to implement an 'OR' condition in the signature payload to
match either of the two patterns
given in payload.

For example:

signature abc-21 {
	ip-proto == tcp
	. . . .
	. . . .
	payload /.*(abc) | (xyz).*/
}

When I run Bro with this signature, I was able to see a log for the packet
that matches the pattern first.i.e., the packet with
abc or xyz (whichever comes first) gets logged and the rest doesn't generate
a log.
Only one pattern matches always and the others go unnoticed.

Is there anything wrong in writing the 'OR' condition?

Thanks in advance,
Dhanesh.




More information about the Bro mailing list