[Bro] Issues with Signature Framework

Josh Guild josh.guild at morphick.com
Fri May 12 10:25:21 PDT 2017 

Awesome, I'll give that a shot. Thanks!

On Fri, May 12, 2017 at 1:02 PM, James Lay <jlay at slave-tothe-box.net> wrote:

> The entire signature.
>
> On 2017-05-12 09:53, Josh Guild wrote:
> > Hey guys,
> >
> > Thanks for the responses! I'll try to take a look at the debug output
> > and see if I can figure anything out there.
> >
> > James,
> > Do you mean placing it first/last in the signatures file or putting
> > the "dst-ip !=" first/last in the signature itself?
> >
> > On Fri, May 12, 2017 at 10:39 AM, James Lay <jlay at slave-tothe-box.net>
> > wrote:
> >
> >> Try putting it at the top of the sig list.  If that doesn't work,
> >> put it
> >> at the bottom.  I remember dealing with this myself after updating
> >> to
> >> 2.5.
> >>
> >> James
> >>
> >> On 2017-05-10 12:18, Josh Guild wrote:
> >>> Hi all,
> >>>
> >>> I'm pretty sure I know the answer will be "don't use the Signature
> >>> Framework" but I'm going to ask this question anyways. Ha.
> >>>
> >>> I'm trying to whitelist an IP as a destination within a signature
> >> but
> >>> it doesn't seem to work and the sig is still firing. Is this just
> >> a
> >>> quirk within the SF or am I missing something?
> >>>
> >>> Example:
> >>>
> >>> signature name {
> >>> ip-proto == tcp
> >>>
> >>> dst-ip != 10.0.0.1
> >>>
> >>> payload /stuffimlookingfor/
> >>> event "Getting stuff over TCP"
> >>> }
> >>>
> >>> Any help would be much appreciated, thanks!
> >>>
> >>> --
> >>>
> >>> Josh Guild
> >>> Network Intelligence Analyst
> >>> [1] [2]
> >>>
> >>>
> >>>
> >>> Links:
> >>> ------
> >>> [1] https://twitter.com/stay_spooky [1]
> >>> [2] https://keybase.io/joshuaguild
> >>>
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro [2]
> >
> > --
> >
> > Josh Guild
> > Network Intelligence Analyst
> >  [1] [3]
> >
> >
> >
> > Links:
> > ------
> > [1] https://twitter.com/stay_spooky
> > [2] http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > [3] https://keybase.io/joshuaguild
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>



-- 
Josh Guild
Network Intelligence Analyst
<https://twitter.com/stay_spooky> <https://keybase.io/joshuaguild>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170512/f26974c0/attachment.html

More information about the Bro mailing list