[Bro] Issues with Signature Framework
James Lay
jlay at slave-tothe-box.net
Fri May 12 07:39:21 PDT 2017
Try putting it at the top of the sig list. If that doesn't work, put it
at the bottom. I remember dealing with this myself after updating to
2.5.
James
On 2017-05-10 12:18, Josh Guild wrote:
> Hi all,
>
> I'm pretty sure I know the answer will be "don't use the Signature
> Framework" but I'm going to ask this question anyways. Ha.
>
> I'm trying to whitelist an IP as a destination within a signature but
> it doesn't seem to work and the sig is still firing. Is this just a
> quirk within the SF or am I missing something?
>
> Example:
>
> signature name {
> ip-proto == tcp
>
> dst-ip != 10.0.0.1
>
> payload /stuffimlookingfor/
> event "Getting stuff over TCP"
> }
>
> Any help would be much appreciated, thanks!
>
> --
>
> Josh Guild
> Network Intelligence Analyst
> [1] [2]
>
>
>
> Links:
> ------
> [1] https://twitter.com/stay_spooky
> [2] https://keybase.io/joshuaguild
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list