About Specification Based detection


Much more specific into specification based. Like if there is one
specification "a
valid SMTP greeting is no longer than NN bytes long . We need to know
that NN bytes. Similiarly I believe that there are some specifications
built in bro. Is there any way to know more about those specifications
like how threshold is set... Can any one suggest me any reference
which will help me know more about this stuff...