[Bro] Several protosig questions
Robin Sommer
robin at icir.org
Wed Oct 19 17:28:28 PDT 2016
On Mon, Oct 17, 2016 at 15:08 -0600, you wrote:
> Included! Sigs below (in 2.4.1 order mattered..I think last matched
> gets the protosig tag, but I've swapped these around with the same
> results)..in either case only ntp matches, not ntp_apple.
So both the problems turn out to be bugs: dst-ip is indeed not working
with IPv4 CIDR ranges, and payload-size is behaving oddly with (I
believe only) UDP. I have patches for both in git branch
topic/robin/sig-fixes, could you give that a try?
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list