[Bro] Signatures
Neslog
neslog at gmail.com
Thu Feb 10 06:54:33 PST 2011
Not sure within poicy but you may want to try tcpreplay and set to
generate the traffic at wire speed instead of disk I/O.
On 2/10/11, David Rodrigues <david.network.security at gmail.com> wrote:
> Thanks,
>
> using @load file-flush (with a dash) worked :)
>
> But now I'm running into another problem.
>
> The signature is only triggered once for the same host and for a given
> period of time.
>
> Is there a way to report every single signature match?
>
> On Wed, Feb 9, 2011 at 7:20 PM, Seth Hall <seth at icir.org> wrote:
>>
>> On Feb 9, 2011, at 1:14 PM, Neslog wrote:
>>
>>> How about the file_flush.bro? When I'm testing I lod that one with a
>>> short time inerval.
>>
>>
>> Good catch. I had a nagging feeling that I was missing something.
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro-ids.org/
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
--
Sent from my mobile device
More information about the Bro
mailing list