[Bro] Several protosig questions

James Lay jlay at slave-tothe-box.net
Thu Oct 27 04:43:08 PDT 2016


On Wed, 2016-10-26 at 15:47 -0700, Robin Sommer wrote:
> On Mon, Oct 24, 2016 at 13:53 -0600, James Lay wrote:
> 
> > 
> > But the same results as above in conn.log.  So I guess that's a
> > feature
> > request?  To hard define either a first rule that matches gets
> > logged, or
> > the last rule that matches gets logged.
> It's a feature, not a bug. :) The signature engine always reports all
> matches, actually with the intention to *not* make order matter. What
> you could do is add logic in scriptland that selects which match to
> continue working with, based on some scheme you come up with (like
> having a table of signature names map to priorities).
> 
> Robin
> 
Thanks Robin...that helps.  Truth be told I wouldn't have a clue on
where to start have a table of sigs to map priorities, so I guess I'll
suck it up and just make specific sigs and leave out the generics.
 I'll keep testing and report anything else...thanks again for the work
on this.
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161027/ba4cfbab/attachment.html 


More information about the Bro mailing list