[Bro] Regarding signatures
Ayyappa Suryanarayana T
ayyappa at tataelxsi.co.in
Fri Mar 9 03:53:35 PST 2007
Hi all,
I am having trouble matching same signature for packets in different connections,its matching one connection but its not matching for another connection but the packets have same payload.
The signature that is to be matched is the following:
signature gtalk_test {
event "gtalk test received"
payload /\x17\x03\x01/
}
I tried the following signature also
signature gtalk_one {
event "gtalk one received"
payload /.{0,0}\x17/
payload /.{1,1}\x03/
payload /.{2,2}\x00/
}
The pcap that is not matching is attached along with this mail.
can any one help me to know how the signature matching happens in bro-1.2.1
Thanks
Ayyappa
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jabber-matched.pcap.pcap
Type: application/octet-stream
Size: 987 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070309/ed142716/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jabber-unmatched.pcap.pcap
Type: application/octet-stream
Size: 699 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070309/ed142716/attachment-0001.obj
More information about the Bro
mailing list