[Bro] Issues with Signature Framework
Robin Sommer
robin at icir.org
Thu May 11 09:41:00 PDT 2017
On Wed, May 10, 2017 at 14:18 -0400, Josh Guild wrote:
> I'm pretty sure I know the answer will be "don't use the Signature
> Framework" but I'm going to ask this question anyways. Ha.
It's actually ok to use it, just not too heavily. :-)
> I'm trying to whitelist an IP as a destination within a signature but it
> doesn't seem to work and the sig is still firing.
Couple things:
- I assume you have seen this list of "quirks"?
https://www.bro.org/sphinx/frameworks/signatures.html#things-to-keep-in-mind-when-writing-signatures
- If you compile with --enable-debug and run with '-B signatures'
you get debugging information in debug.log that may help track
down what's going on (if you don't mind looking at some
low-level stuff :)
- If you cannot figure it out I can look into it but would need a
signature and a trace to reproduce what you're seeing.
Robin
--
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro
mailing list