[Bro] Signatures
David Rodrigues
david.network.security at gmail.com
Mon Feb 21 01:02:17 PST 2011
I'm sorry. I'll be more precise.
The signature is only triggered once for the same host and for a given
period of time (and for the same tcp connection).
If I close and restart the connection the signature is always triggered.
Is that normal?
Thanks,
David
On Wed, Feb 16, 2011 at 8:33 PM, Seth Hall <seth at icir.org> wrote:
>
> On Feb 10, 2011, at 4:57 AM, David Rodrigues wrote:
>
>> using @load file-flush (with a dash) worked :)
>
> Oops!
>
>> The signature is only triggered once for the same host and for a given
>> period of time.
>>
>> Is there a way to report every single signature match?
>
>
> Sorry to sort of disappear on you for a few days. I haven't had a chance to test yet, but I'm surprised that you are only seeing this trigger once. Could you capture some traffic and send the signature you are using? By default, it should be triggering on every match for a host.
>
> Thanks,
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
More information about the Bro
mailing list