[Bro] Bro Signatures

Rodrigue ALAHASSA rodrigue.alahassa at gmail.com
Sun Aug 28 05:06:16 PDT 2011


Hi,

1 - What's the difference between these type of signature ?
What I'm trying to understand is when it could become handy to split the
payload over many regular expressions.

signature sid-542{
         ip-proto  = tcp
         payload /.* EHLO *. MAIL FROM *./
         event sid-542
}

signature sid-543{
        ip-proto = tcp
        payload /*.EHLO*./
        payload /*. MAIL FROM *./
        event sid-543
}

Is the order of appearance of signature attributes important for bro to
trigger an alert ?

Thanks for your help.
-- 
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110828/60692a2f/attachment.html 


More information about the Bro mailing list