[Bro] Issues with Signature Framework

James Lay jlay at slave-tothe-box.net
Fri May 12 10:02:29 PDT 2017


The entire signature.

On 2017-05-12 09:53, Josh Guild wrote:
> Hey guys,
> 
> Thanks for the responses! I'll try to take a look at the debug output
> and see if I can figure anything out there.
> 
> James,
> Do you mean placing it first/last in the signatures file or putting
> the "dst-ip !=" first/last in the signature itself?
> 
> On Fri, May 12, 2017 at 10:39 AM, James Lay <jlay at slave-tothe-box.net>
> wrote:
> 
>> Try putting it at the top of the sig list.  If that doesn't work,
>> put it
>> at the bottom.  I remember dealing with this myself after updating
>> to
>> 2.5.
>> 
>> James
>> 
>> On 2017-05-10 12:18, Josh Guild wrote:
>>> Hi all,
>>> 
>>> I'm pretty sure I know the answer will be "don't use the Signature
>>> Framework" but I'm going to ask this question anyways. Ha.
>>> 
>>> I'm trying to whitelist an IP as a destination within a signature
>> but
>>> it doesn't seem to work and the sig is still firing. Is this just
>> a
>>> quirk within the SF or am I missing something?
>>> 
>>> Example:
>>> 
>>> signature name {
>>> ip-proto == tcp
>>> 
>>> dst-ip != 10.0.0.1
>>> 
>>> payload /stuffimlookingfor/
>>> event "Getting stuff over TCP"
>>> }
>>> 
>>> Any help would be much appreciated, thanks!
>>> 
>>> --
>>> 
>>> Josh Guild
>>> Network Intelligence Analyst
>>> [1] [2]
>>> 
>>> 
>>> 
>>> Links:
>>> ------
>>> [1] https://twitter.com/stay_spooky [1]
>>> [2] https://keybase.io/joshuaguild
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
> 
> --
> 
> Josh Guild
> Network Intelligence Analyst
>  [1] [3]
> 
> 
> 
> Links:
> ------
> [1] https://twitter.com/stay_spooky
> [2] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> [3] https://keybase.io/joshuaguild


More information about the Bro mailing list