[Bro] signatures

Dop dopheide at ncsa.illinois.edu
Fri Feb 4 09:02:47 PST 2011


(Last one for today, I promise)

Given these two signatures:

signature s2b-1939-4 {
  ip-proto == udp
  dst-port == 67
  # Not supported: byte_test: 1,>,6,2
  event "MISC bootp hardware address length overflow"
  payload /\x01/
}

signature s2b-1940-3 {
  ip-proto == udp
  dst-port == 67
  # Not supported: byte_test: 1,>,7,1
  event "MISC bootp invalid hardware type"
  payload /\x01/
}

We see both of them (which I'm about to ignore), but I don't understand
why one is triggered over the other.


Thanks,
Dop





More information about the Bro mailing list