[Bro] signature match bug
Robin Sommer
robin at icir.org
Thu Feb 8 16:59:25 PST 2007
On Wed, Feb 07, 2007 at 02:50 -0800, Yuppie wrote:
> I found this comment in RuleMatcher.cc.
>
> // - Sometimes, the signature match event is generated after a
> // connection_finished (or similar) event. Using the default ru
> les.bro,
> // this means that we will not see the rule id in the connectio
> n summary.
Hmm... I think the comment is out of date. These days the connection
summaries are generated by a connection_state_remove() handler in
conn.bro. I don't think a signature_match can be generated *after*
the connection_state_remove event (which is raised when the internal
connection state is flushed). So, seems there's nothing to fix. :-)
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list