[Bro] Signatures
David Rodrigues
david.network.security at gmail.com
Wed Feb 23 02:24:42 PST 2011
First I though it was a bug. I only realized that it only concerned
the same tcp connections after my first e-mail. But the behavior is
different for Suricata. That's why I asked if it was a bug or normal
behavior for Bro. But now it's crystal clear.
Thanks a lot,
David
On Wed, Feb 23, 2011 at 6:08 AM, Seth Hall <seth at icir.org> wrote:
>
> On Feb 21, 2011, at 4:02 AM, David Rodrigues wrote:
>
>> The signature is only triggered once for the same host and for a given
>> period of time (and for the same tcp connection).
>>
>> If I close and restart the connection the signature is always triggered.
>>
>> Is that normal?
>
>
> Ah! I believe that is normal. I don't think that the same signature will trigger multiple times in the same TCP connection.
>
> Can you give any more details about the scenario in which you need this? The example doesn't have enough context for me to know if there is another way of implementing what you are trying to accomplish.
>
> Thanks,
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
More information about the Bro
mailing list