[Bro] Several protosig questions
jlay at slave-tothe-box.net
Thu Oct 27 04:43:08 PDT 2016
On Wed, 2016-10-26 at 15:47 -0700, Robin Sommer wrote:
> On Mon, Oct 24, 2016 at 13:53 -0600, James Lay wrote:
> > But the same results as above in conn.log. So I guess that's a
> > feature
> > request? To hard define either a first rule that matches gets
> > logged, or
> > the last rule that matches gets logged.
> It's a feature, not a bug. :) The signature engine always reports all
> matches, actually with the intention to *not* make order matter. What
> you could do is add logic in scriptland that selects which match to
> continue working with, based on some scheme you come up with (like
> having a table of signature names map to priorities).
Thanks Robin...that helps. Truth be told I wouldn't have a clue on
where to start have a table of sigs to map priorities, so I guess I'll
suck it up and just make specific sigs and leave out the generics.
I'll keep testing and report anything else...thanks again for the work
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro