[Bro] Issues with Signature Framework

Josh Guild josh.guild at morphick.com
Wed May 10 11:18:37 PDT 2017


Hi all,

I'm pretty sure I know the answer will be "don't use the Signature
Framework" but I'm going to ask this question anyways. Ha.

I'm trying to whitelist an IP as a destination within a signature but it
doesn't seem to work and the sig is still firing. Is this just a quirk
within the SF or am I missing something?

Example:

signature name {
        ip-proto == tcp
        dst-ip != 10.0.0.1
        payload /stuffimlookingfor/
        event "Getting stuff over TCP"
}

Any help would be much appreciated, thanks!

-- 
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170510/b084cd75/attachment.html 


More information about the Bro mailing list