[Bro] Issues with Signature Framework
Josh Guild
josh.guild at morphick.com
Wed May 10 11:18:37 PDT 2017
Hi all,
I'm pretty sure I know the answer will be "don't use the Signature
Framework" but I'm going to ask this question anyways. Ha.
I'm trying to whitelist an IP as a destination within a signature but it
doesn't seem to work and the sig is still firing. Is this just a quirk
within the SF or am I missing something?
Example:
signature name {
ip-proto == tcp
dst-ip != 10.0.0.1
payload /stuffimlookingfor/
event "Getting stuff over TCP"
}
Any help would be much appreciated, thanks!
--
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170510/b084cd75/attachment.html
More information about the Bro
mailing list