[Bro] signature match script
Patrick Powell
ppowell at 21ct.com
Mon Sep 23 18:40:37 PDT 2013
Martin,
The .sig file looks fine. I don't load those in local.bro, I load them in
<BRO_DIR_>/base/frameworks/signatures/main.bro. I have my sigs in that
directory as well.
Patrick Powell
Security Analyst
21CT, Inc.
Direct: 512.682.4754
Cell: 210.587.9255
Direct Fax: 512.682.4749
On 9/23/13 6:46 PM, "martin" <martin at gta.ufrj.br> wrote:
>
>
>
>Hi guys, I'm new on Bro scripts. I'm traying to test the most easiest
>signature match script. I have read the manual and some examples, but it
>is not working.
>
>So I tried the following:
>on signatura.sig:
>
>signature my-first-sig {
>ip-proto == tcp
>dst-port == 12345
>payload /.*hello/
>event "Signature Found"
>}
>
>on test_sig.bro (was added on local.bro):
>
>@load base/frameworks/notice
>@load base/frameworks/signatures/main
>@load-sigs ./signatura.sig #in the same directory
>
>event signature_match(state: signature_state, msg: string, data: string)
>{
>print fmt("Match!!! %s",msg);
>print fmt("%s",data);
>}
>
>event tcp_packet (c: connection, is_orig: bool, flags: string, seq:
>count, ack: count, len: count, payload: string)
>{
>print fmt ("%s",payload);
>}
>
>So I create a socket to connect the host and send messages just to test
>it.
>When i run the program
>bro -i eth0 local # the interface is the correct one
>I can see the payload of the tcp packets (the messages I'm sending) but
>I don't have any type of signature.log not even the print Im doing.
>What could be happening?
>Thanks
>
>-- Martin
>
>
>
>_______________________________________________
>Bro mailing list
>bro at bro-ids.org
>http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3799 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130923/846865c9/attachment.bin
More information about the Bro
mailing list