[Bro] change notice$note to match signature
김희철
hckim at narusec.com
Wed Jun 26 06:47:06 PDT 2013
Hi
all the signature notice$note comes out with Signatures::Sensitive_Signature
I want to change the notice$note to signature ID or custom name
I try to do this by signature_match
but this is not working
if I use testsig.sig in the local.bro, notice comes out find.
do I have to approach from different way?
---------------------------
@load-sigs ./testsig.sig
module test;
#redef signature_files += "testsig.sig";
redef enum Notice::Type += {NAVER.com_found};
event signature_match(state: signature_state, msg: string, data: string){
if (/naver/ in state$sig_id){
event Signatures::log_signature(rec: Signatures::Info){
rec$note=NAVER.com_found;
}
# print fmt("%s",data);
}
}
----------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130626/c84fd102/attachment.html
More information about the Bro
mailing list