[Bro] Bro Signatures
Rodrigue ALAHASSA
rodrigue.alahassa at gmail.com
Sun Aug 28 05:06:16 PDT 2011
Hi,
1 - What's the difference between these type of signature ?
What I'm trying to understand is when it could become handy to split the
payload over many regular expressions.
signature sid-542{
ip-proto = tcp
payload /.* EHLO *. MAIL FROM *./
event sid-542
}
signature sid-543{
ip-proto = tcp
payload /*.EHLO*./
payload /*. MAIL FROM *./
event sid-543
}
Is the order of appearance of signature attributes important for bro to
trigger an alert ?
Thanks for your help.
--
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110828/60692a2f/attachment.html
More information about the Bro
mailing list