Re: Using a 'OR' condition in Signature payloads: msg#00000
Subject: Re: Using a 'OR' condition in Signature payloads
On Tue, Oct 31, 2006 at 00:32 -0800, Vern Paxson wrote:
> I believe what's going on is that "payload" is matching the TCP *byte-stream*
> rather than individual packets. As such, there's just one match to the
> pattern, since the .*'s eat up everything else in the byte-stream.
That's right.
> There's an option to just match packet payloads, but I don't recall what
> it is.
No, there is no option (UDP is matched packet-wise but even for UDP
Bro reports each signature-match only once per UDP flow).
Robin
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment