[Bro] Bro signatures
Rodrigue ALAHASSA
rodrigue.alahassa at gmail.com
Sat Oct 22 09:45:05 PDT 2011
Hi,
I get a little confused about content conditions for Bro signature. I'm
working to automate generation of signature compliant with Bro.
I would like to know how Bro behaves in two cases. I tried to provide many
content-conditions for one signature. Let's say that I want to detect the
following patterns in a stream (just some examples):
1- common
2- attack
3- vulnerabilities
If i use the following condition, it will detect all occurrences of common
followed by attack and vulnerabilities,
payload /.*common.*attack.*vulnerabilities.*/
What if I use a combination of those expressions:
payload /*common.*attack.*/
payload /*vulnerabilities*/
I looked around, but did not find anything to help me understand how the
signature engine will behave in these cases.
Thanks in advance for your help.
R. ALAHASSA
--
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111022/62632dd3/attachment.html
More information about the Bro
mailing list