[Bro] getting raw bytes?
Gregor Maier
gregor at icir.org
Wed Aug 10 08:57:35 PDT 2011
> You are just looking to write a signature...
More info on signatures:
http://www.bro-ids.org/documentation/signatures.html
> ==== x11.sigs =====
> signature x11_6_special_bytes {
> ip-proto == tcp
> dst-port == 6000
> payload /\x01\x00\x0b\x00\x00\x00/
> tcp-state responder
event "foo"
is missing here.
cu
Gregor
--
Gregor Maier
<gregor at icir.org> <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/
More information about the Bro
mailing list