[Bro] Issues with Signature Framework
James Lay
jlay at slave-tothe-box.net
Fri May 12 10:02:29 PDT 2017
The entire signature.
On 2017-05-12 09:53, Josh Guild wrote:
> Hey guys,
>
> Thanks for the responses! I'll try to take a look at the debug output
> and see if I can figure anything out there.
>
> James,
> Do you mean placing it first/last in the signatures file or putting
> the "dst-ip !=" first/last in the signature itself?
>
> On Fri, May 12, 2017 at 10:39 AM, James Lay <jlay at slave-tothe-box.net>
> wrote:
>
>> Try putting it at the top of the sig list. If that doesn't work,
>> put it
>> at the bottom. I remember dealing with this myself after updating
>> to
>> 2.5.
>>
>> James
>>
>> On 2017-05-10 12:18, Josh Guild wrote:
>>> Hi all,
>>>
>>> I'm pretty sure I know the answer will be "don't use the Signature
>>> Framework" but I'm going to ask this question anyways. Ha.
>>>
>>> I'm trying to whitelist an IP as a destination within a signature
>> but
>>> it doesn't seem to work and the sig is still firing. Is this just
>> a
>>> quirk within the SF or am I missing something?
>>>
>>> Example:
>>>
>>> signature name {
>>> ip-proto == tcp
>>>
>>> dst-ip != 10.0.0.1
>>>
>>> payload /stuffimlookingfor/
>>> event "Getting stuff over TCP"
>>> }
>>>
>>> Any help would be much appreciated, thanks!
>>>
>>> --
>>>
>>> Josh Guild
>>> Network Intelligence Analyst
>>> [1] [2]
>>>
>>>
>>>
>>> Links:
>>> ------
>>> [1] https://twitter.com/stay_spooky [1]
>>> [2] https://keybase.io/joshuaguild
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
>
> --
>
> Josh Guild
> Network Intelligence Analyst
> [1] [3]
>
>
>
> Links:
> ------
> [1] https://twitter.com/stay_spooky
> [2] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> [3] https://keybase.io/joshuaguild
More information about the Bro
mailing list