[Bro] Using a 'OR' condition in Signature payloads

Jaya Dhanesh dhanesh at tataelxsi.co.in
Mon Oct 30 19:51:32 PST 2006



Hi,

>Yes, this should be written instead as:
>	payload /.*(abc)|(xyz).*/
>Or, if you want to match "abc" or "xyz" anywhere in the payload, as:
>	payload /.*(abc|xyz).*/

I wrote the same pattern in the payload, only the first packet that matches
the
pattern (either 'abc' or 'xyz')gets logged.

Bro checks for the pattern in each packet, so I should have got logs for all
the packets
that has atleast one of the patterns.

Dhanesh.




More information about the Bro mailing list