[Bro] Issues with Signature Framework
Josh Guild
josh.guild at morphick.com
Fri May 12 08:53:56 PDT 2017
Hey guys,
Thanks for the responses! I'll try to take a look at the debug output and
see if I can figure anything out there.
James,
Do you mean placing it first/last in the signatures file or putting the
"dst-ip !=" first/last in the signature itself?
On Fri, May 12, 2017 at 10:39 AM, James Lay <jlay at slave-tothe-box.net>
wrote:
> Try putting it at the top of the sig list. If that doesn't work, put it
> at the bottom. I remember dealing with this myself after updating to
> 2.5.
>
> James
>
> On 2017-05-10 12:18, Josh Guild wrote:
> > Hi all,
> >
> > I'm pretty sure I know the answer will be "don't use the Signature
> > Framework" but I'm going to ask this question anyways. Ha.
> >
> > I'm trying to whitelist an IP as a destination within a signature but
> > it doesn't seem to work and the sig is still firing. Is this just a
> > quirk within the SF or am I missing something?
> >
> > Example:
> >
> > signature name {
> > ip-proto == tcp
> >
> > dst-ip != 10.0.0.1
> >
> > payload /stuffimlookingfor/
> > event "Getting stuff over TCP"
> > }
> >
> > Any help would be much appreciated, thanks!
> >
> > --
> >
> > Josh Guild
> > Network Intelligence Analyst
> > [1] [2]
> >
> >
> >
> > Links:
> > ------
> > [1] https://twitter.com/stay_spooky
> > [2] https://keybase.io/joshuaguild
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170512/b39358e1/attachment.html
More information about the Bro
mailing list