[Bro] signature match script
martin
martin at gta.ufrj.br
Mon Sep 23 12:38:23 PDT 2013
Hi guys, I'm new on Bro scripts. I'm traying to test the most easiest
signature match script. I have read the manual and some examples, but it
is not working.
So I tried the following:
on signatura.sig:
signature my-first-sig {
ip-proto == tcp
dst-port == 12345
payload /.*hello/
event "Signature Found"
}
on test_sig.bro (was added on local.bro):
@load base/frameworks/notice
@load base/frameworks/signatures/main
@load-sigs ./signatura.sig #in the same directory
event signature_match(state: signature_state, msg: string, data: string)
{
print fmt("Match!!! %s",msg);
print fmt("%s",data);
}
event tcp_packet (c: connection, is_orig: bool, flags: string, seq:
count, ack: count, len: count, payload: string)
{
print fmt ("%s",payload);
}
So I create a socket to connect the host and send messages just to test it.
When i run the program
bro -i eth0 local # the interface is the correct one
I can see the payload of the tcp packets (the messages I'm sending) but
I don't have any type of signature.log not even the print Im doing.
What could be happening?
Thanks
-- Martin
More information about the Bro
mailing list