[Bro] Bro signatures

Rodrigue ALAHASSA rodrigue.alahassa at gmail.com
Sat Oct 22 09:45:05 PDT 2011


Hi,

I get a little confused about content conditions for Bro signature. I'm
working to automate generation of signature compliant with Bro.

I would like to know how Bro behaves in two cases. I tried to provide many
content-conditions for one signature. Let's say that I want to detect the
following patterns in a stream (just some examples):

1- common
2- attack
3- vulnerabilities

If i use the following condition, it will detect all occurrences of common
followed by attack and vulnerabilities,

payload /.*common.*attack.*vulnerabilities.*/

What if I use a combination of those expressions:

payload /*common.*attack.*/
payload /*vulnerabilities*/

I looked around, but did not find anything to help me understand how the
signature engine will behave in these cases.

Thanks in advance for your help.

R. ALAHASSA

-- 
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111022/62632dd3/attachment.html 


More information about the Bro mailing list