[Bro] Using a 'OR' condition in Signature payloads
Robin Sommer
robin at icir.org
Tue Oct 31 16:44:29 PST 2006
On Tue, Oct 31, 2006 at 00:32 -0800, Vern Paxson wrote:
> I believe what's going on is that "payload" is matching the TCP *byte-stream*
> rather than individual packets. As such, there's just one match to the
> pattern, since the .*'s eat up everything else in the byte-stream.
That's right.
> There's an option to just match packet payloads, but I don't recall what
> it is.
No, there is no option (UDP is matched packet-wise but even for UDP
Bro reports each signature-match only once per UDP flow).
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list