[Bro] Clarification reg signatures

[Jaya Dhanesh]

Hi all,

I have a clarification regarding writing signatures. I want to check only
the first
4 bytes of the tcp payload.

I tried using
signature payload-3 {
	ip-proto == tcp
	event "First three bytes matched"
	payload/.{0,3}\x0a\x2a\x17/
}

This signature didn't match. Can anyone suggest how to compare the first 'n'
bytes of
the payload?

I also saw patterns like payload/{4}reg-exp/ in signatures file. What do
they imply?


Thanks,
Dhanesh.