[Bro] Several protosig questions
James Lay
jlay at slave-tothe-box.net
Sat Oct 15 09:48:09 PDT 2016
Wow...so here's my sig:
signature protosig_ntp_apple {
dst-ip == 17.0.0.0/8
ip-proto == udp
dst-port == 123
payload /.*\x00/
payload-size == 48
eval ProtoSig::match
}
First, IP is 192.168.1.95 -> 17.253.4.253 udp port 123.
Issue #1: CIDR doesn't appear to work..with the above dst-ip entry
this fails to identify ntp_apple, commenting out the dst-ip the line
matches.
Issue #2: Payload-size; of interest, if you don't set a payload entry,
then setting payload-size with ">" and "==" won't match, but ANY number
with "<" fired off. Ironically I could set payload-size < 1 and this
would fire.
this is using latest beta. Thank you.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161015/eacc2c84/attachment.html
More information about the Bro
mailing list