[Bro] Several protosig questions
James Lay
jlay at slave-tothe-box.net
Fri Oct 21 16:38:01 PDT 2016
So ok here's where I'm at. With only the ntp_apple rule this works.
However if I have a generic ntp rule, either before or after the
ntp_apple, I only get the ntp match:
signature protosig_ntp {
ip-proto == udp
dst-port == 123
payload /.*\x00/
payload-size == 48
eval ProtoSig::match
}
signature protosig_ntp_apple {
#header ip[16:4] == 17.0.0.0/8
dst-ip == 17.0.0.0/8
ip-proto == udp
dst-port == 123
payload /.*\x00/
payload-size == 48
eval ProtoSig::match
}
#signature protosig_ntp {
# ip-proto == udp
# dst-port == 123
# payload /.*\x00/
# payload-size == 48
# eval ProtoSig::match
#}
Currently with 2.4.1 protosig you put the generic one first, and the
specific ones after. This appears to have changed? Anyway at least it
does now match, so that's a plus.
On Tue, 2016-10-18 at 11:28 -0700, Robin Sommer wrote:
> On Mon, Oct 17, 2016 at 15:08 -0600, you wrote:
>
> >
> > Included!
> Thanks, I'll take a look, give me a little bit.
>
> Robin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161021/af8f28ce/attachment.html
More information about the Bro
mailing list