[Bro] Bro: TCP, regex
Robin Sommer
robin at icir.org
Wed Nov 7 21:21:09 PST 2007
On Wed, Nov 07, 2007 at 19:15 -0500, you wrote:
> Does the Bro signatures work on a different layer than the
> scripting/policy layer ?
Yes, the signature matching is done inside the core. Only if there's
a match, an event is passed to the policy layer.
> In the code, which are the relevant files I need to look to understand
> whether this is done like you mentioned?
The code implementing the signatures is in Rule*.{h,cc}.
Robin
--
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list