Apr 28, 2008

Using a 'OR' condition in Signature payloads

Re: Using a 'OR' condition in Signature payloads: msg#00000
Subject: Re: Using a 'OR' condition in Signature payloads

On Tue, Oct 31, 2006 at 00:32 -0800, Vern Paxson wrote:

> I believe what's going on is that "payload" is matching the TCP *byte-stream*
> rather than individual packets. As such, there's just one match to the
> pattern, since the .*'s eat up everything else in the byte-stream.

That's right.

> There's an option to just match packet payloads, but I don't recall what
> it is.

No, there is no option (UDP is matched packet-wise but even for UDP
Bro reports each signature-match only once per UDP flow).

Robin

No comments: