[Bro] How to change the situation that BRO signature only match once at most
李雪莉
2015223040113 at stu.scu.edu.cn
Sun Mar 25 19:16:51 PDT 2018
Hi, everyone,
I have recently worked on some BRO-ID works, that is, I want to intercept some REST messages from net interface using signatures, and I found that I can only intercept a part of all of the messages, for example, I can use tshark to intercept, let's say, 100 messages, but with BRO, there is only 50. And I have read the official document that says, "Each signature is reported at most once for every connection, further matches of the same signature are ignored". I just want to know is their any chance to change this situation? or did I configure something wrong?
Regards,
Sherry from China
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180326/b5dcdef0/attachment.html
More information about the Bro
mailing list