[Bro] signatures
Dop
dopheide at ncsa.illinois.edu
Fri Feb 4 09:02:47 PST 2011
(Last one for today, I promise)
Given these two signatures:
signature s2b-1939-4 {
ip-proto == udp
dst-port == 67
# Not supported: byte_test: 1,>,6,2
event "MISC bootp hardware address length overflow"
payload /\x01/
}
signature s2b-1940-3 {
ip-proto == udp
dst-port == 67
# Not supported: byte_test: 1,>,7,1
event "MISC bootp invalid hardware type"
payload /\x01/
}
We see both of them (which I'm about to ignore), but I don't understand
why one is triggered over the other.
Thanks,
Dop
More information about the Bro
mailing list