[Bro] Clarification reg signatures
Jaya Dhanesh
dhanesh at tataelxsi.co.in
Thu Mar 1 20:15:01 PST 2007
Hi all,
I have a clarification regarding writing signatures. I want to check only
the first
4 bytes of the tcp payload.
I tried using
signature payload-3 {
ip-proto == tcp
event "First three bytes matched"
payload/.{0,3}\x0a\x2a\x17/
}
This signature didn't match. Can anyone suggest how to compare the first 'n'
bytes of
the payload?
I also saw patterns like payload/{4}reg-exp/ in signatures file. What do
they imply?
Thanks,
Dhanesh.
More information about the Bro
mailing list