[Bro] signature question
Mike Sconzo
sconzo at visiblerisk.com
Mon Apr 8 11:33:31 PDT 2013
I've got 2 signatures that I've defined, and I'm trying to figure out
the best way to see if both have fired an event in the same
connection.
Specifically, I'm curious if signature A hits before signature B.
Below is some [pseudo]code to describe the scenario. I'm confused on
what set_state() does (I just copied this from an example I found). I
can see that both signatures hit, however the "if ( c$sig_a_seen )" is
always False. It seems that the assignment of "c$sig_a_seen = T;"
doesn't get added to the connection to get referenced in other events.
What am I missing to get this value to persist through the entire
connection?
Thanks for the input.
-=Mike
export {
redef record Info += {sig_a_seen: bool &default=F; };
}
event signature_match(state: signature_state, msg: string, data: string)
{
local c = state$conn;
set_state(c, F, F);
local message = "";
if ( /^signature/ in state$sig_id )
{
message = fmt("%s signature found", state$sig_id);
print message
c$sig_a_seen = T;
}
# if I do a print c, here then I can see that if it's signature A
it's set T, but signature B is set F.
if ( /signatureB/ in state$sig_id )
{
if ( c$sig_a_seen )
{
print "I've seen A followed by B";
}
}
--
cat ~/.bash_history > documentation.txt
More information about the Bro
mailing list