[Bro] Several protosig questions
Robin Sommer
robin at icir.org
Mon Oct 24 11:51:46 PDT 2016
On Fri, Oct 21, 2016 at 17:38 -0600, you wrote:
> However if I have a generic ntp rule, either before or after the
> ntp_apple, I only get the ntp match:
Let me clarify one thing:
> eval ProtoSig::match
"eval" is not for flagging a match. It's a condition by itself that
influences the matching of the signature. To learn about a match use
"event" instead and then hook into the "signature_event" event. If I
do that, things seem to work for me correctly with the sig-fixes
branch:
# cat test.sig
signature protosig_ntp {
ip-proto == udp
dst-port == 123
payload /.*\x00/
payload-size == 48
event "match"
}
signature protosig_ntp_apple {
dst-ip == 17.0.0.0/8
ip-proto == udp
dst-port == 123
payload /.*\x00/
payload-size == 48
event "match"
}
# cat test.bro
event signature_match(state: signature_state, msg: string, data: string)
{
print "signature match", state$sig_id;
}
# bro -s ./test.sig -r ntp-1.pcap ./test.bro
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
signature match, protosig_ntp
signature match, protosig_ntp_apple
If I add "eval", I do see it execute for both signatures, though more
often for the generic one. That's probably an artefact of the order in
which conditions are run internally; having the dst-ip in there may
change that.
Btw, the order of matches is undefined, and might have well changed
since 2.4.
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list