[Bro] signature match script
martin
martin at gta.ufrj.br
Tue Sep 24 05:58:55 PDT 2013
IT must be something else, I tryied what you said Patrick but is still
not working.
May be something in configuration I should switch on?
On 09/23/2013 10:40 PM, Patrick Powell wrote:
> Martin,
> The .sig file looks fine. I don't load those in local.bro, I load them in
> <BRO_DIR_>/base/frameworks/signatures/main.bro. I have my sigs in that
> directory as well.
>
> Patrick Powell
> Security Analyst
> 21CT, Inc.
> Direct: 512.682.4754
> Cell: 210.587.9255
> Direct Fax: 512.682.4749
>
>
>
>
> On 9/23/13 6:46 PM, "martin" <martin at gta.ufrj.br> wrote:
>
>>
>>
>> Hi guys, I'm new on Bro scripts. I'm traying to test the most easiest
>> signature match script. I have read the manual and some examples, but it
>> is not working.
>>
>> So I tried the following:
>> on signatura.sig:
>>
>> signature my-first-sig {
>> ip-proto == tcp
>> dst-port == 12345
>> payload /.*hello/
>> event "Signature Found"
>> }
>>
>> on test_sig.bro (was added on local.bro):
>>
>> @load base/frameworks/notice
>> @load base/frameworks/signatures/main
>> @load-sigs ./signatura.sig #in the same directory
>>
>> event signature_match(state: signature_state, msg: string, data: string)
>> {
>> print fmt("Match!!! %s",msg);
>> print fmt("%s",data);
>> }
>>
>> event tcp_packet (c: connection, is_orig: bool, flags: string, seq:
>> count, ack: count, len: count, payload: string)
>> {
>> print fmt ("%s",payload);
>> }
>>
>> So I create a socket to connect the host and send messages just to test
>> it.
>> When i run the program
>> bro -i eth0 local # the interface is the correct one
>> I can see the payload of the tcp packets (the messages I'm sending) but
>> I don't have any type of signature.log not even the print Im doing.
>> What could be happening?
>> Thanks
>>
>> -- Martin
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
--
------------------------------------------------------------------------
*Eng. Martin Andreoni *
/Estudante de Mestrado/
/Grupo de Teleinformática e Automação (GTA)/
/Programa de Engenharia Elétrica (PEE)/
/Universidade Federal do Rio de Janeiro (UFRJ)/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130924/7176fb0c/attachment.html
More information about the Bro
mailing list