[Bro] Signature payload matching
Robin Sommer
robin at icir.org
Tue Jul 5 14:55:02 PDT 2011
On Tue, Jul 05, 2011 at 23:06 +0200, Rodrigue ALAHASSA wrote:
> I would like to know if the matching of the payload as a condition is done
> against all the session data or more like per packet matching.
It's matched against the reassembled session payload. There's some
more information on details of the matching process here:
http://www.bro-ids.org/documentation/signatures.html
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list