[Bro] Signature payload matching

[Rodrigue ALAHASSA]

The matching is  done against all the session for TCP sessions.
For UDP sessions, it is much  like  a per packet matching.

R. Alahassa

On Sat, Sep 17, 2011 at 9:00 PM, <bro-request at bro-ids.org> wrote:

> Send Bro mailing list submissions to
>        bro at bro-ids.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
>        bro-request at bro-ids.org
>
> You can reach the person managing the list at
>        bro-owner at bro-ids.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
> Today's Topics:
>
>   1. (no subject) (Kristen Eisenberg)
>
>
> ---------- Forwarded message ----------
> From: Kristen Eisenberg <kristen.eisenberg at yahoo.com>
> To: "bro at bro-ids.org" <bro at bro-ids.org>
> Date: Sat, 17 Sep 2011 11:37:38 -0700 (PDT)
> Subject: [Bro] (no subject)
> [Bro] Signature payload matching
>
> Hi all,
>
> I'm working for automation of signature generation for Bro from pcap trace
> files.
> I would like to know if the matching of the payload as a condition is done
> against all the session data or more like per packet matching.
>
> Thanks
>
> ** **
> Kristen Eisenberg
> Billige Flüge
> Marketing GmbH
> Emanuelstr. 3,
> 10317 Berlin
> Deutschland
> Telefon: +49 (33)
> 5310967
> Email:
> utebachmeier at gmail.com
> Site:
> http://flug.airego.de
> - Billige Flüge vergleichen
>
> _______________________________________________
> Bro mailing list
> Bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>


-- 
SLt COC ALAHASSA
161 POL
Professeur Georges LEMAITRE
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20110917/5819a19f/attachment.html