[Bro] Signature payload matching

Rodrigue ALAHASSA rodrigue.alahassa at gmail.com
Thu Jul 7 00:23:34 PDT 2011 

Hi,

Once a signature has been written, compiled and matched against a traffic. I
noticed that sometimes there are entries in signatures.log and notice.log,
sometimes there is only entries in notice.log.

I didn't change default settings for signatures.bro yet (no local site
configuration). I wonder when (cases) bro is told to write to
signatures.log.

Thanks.

Rodrigue

On Wed, Jul 6, 2011 at 9:00 PM, <bro-request at bro-ids.org> wrote:

> Send Bro mailing list submissions to
>        bro at bro-ids.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>        bro-request at bro-ids.org
>
> You can reach the person managing the list at
>        bro-owner at bro-ids.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
> Today's Topics:
>
>   1. Signature payload matching (Rodrigue ALAHASSA)
>   2. Re: Signature payload matching (Robin Sommer)
>
>
> ---------- Forwarded message ----------
> From: Rodrigue ALAHASSA <rodrigue.alahassa at gmail.com>
> To: bro at bro-ids.org
> Date: Tue, 5 Jul 2011 23:06:27 +0200
> Subject: [Bro] Signature payload matching
> Hi all,
>
> I'm working for automation of signature generation for Bro from pcap trace
> files.
> I would like to know if the matching of the payload as a condition is done
> against all the session data or more like per packet matching.
>
> Thanks
>
> --
> Rodrigue ALAHASSA
> Royal Military Academy, Brussels
>
>
> ---------- Forwarded message ----------
> From: Robin Sommer <robin at icir.org>
> To: Rodrigue ALAHASSA <rodrigue.alahassa at gmail.com>
> Date: Tue, 5 Jul 2011 14:55:02 -0700
> Subject: Re: [Bro] Signature payload matching
>
> On Tue, Jul 05, 2011 at 23:06 +0200, Rodrigue ALAHASSA wrote:
>
> > I would like to know if the matching of the payload as a condition is
> done
> > against all the session data or more like per packet matching.
>
> It's matched against the reassembled session payload. There's some
> more information on details of the matching process here:
>
>    http://www.bro-ids.org/documentation/signatures.html
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>
>
> _______________________________________________
> Bro mailing list
> Bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>


-- 
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110707/20dd3143/attachment.html

More information about the Bro mailing list