Though my final intention is to make the BRO-IDS support bittorrent
protocol .
If that's your goal, then you should start quite differently. For Bro,
signatures are a handy add-on, but not the heart of its analysis. Instead,
you should develop a protocol analyzer for Bro's event engine. Often a
good way to develop one of these is to start with an existing one for a
similar protocol and progressively modify it.
Vern
Though they can be used to detect the protocol in the first place,
to then trigger further analysis via a protocol-specific analyzer.
Robin
Hi Guys,
Thanks for your suggestions.
Kindly excuse me for this lenthy mail 
!
I have decided to take gnutella as my framework for bitorrent .
create bittorrent.cc with a frame like
BittorrentMsgState::BittorrentMsgState()
{
/*Intialize the msg fields*/
}
BittorrentConn::BittorrentConn(....)
{
/*Intialize the Origin and Responder msg states */
}
BittorrentConn::BuildEndpoints()
{
/*Building the Origin and Responder Endpoints */
}
BittorrentConn::Done()
{
/*Check for the Connection Establishment */
}
BittorrentConn::NextLine()
{
/*Traversing the Packet */
}
A Few more API's to be defined based on the Bittorrent Protocol
A rough frame for the bittorrent.bro file will be like
redef capture_filters += { ["bittorrent"] = "port 6881 or port 6882" };
event bittorrent_text_msg(c: connection, orig: bool, headers: string)
event bittorrent_establish(....)
and a few more event defintions !!
Adding a few Coustom Signatures like this
signature bittorrent_announce {
ip-proto == tcp
src-port== 6881
payload /*announce* /
tcp-state established
}
Kindly let me know if a frame work like this would work for a Bittorrent
Support on BRO-IDS or do i need to dig more on BRO-IDS . All your
Suggestions are welcome !!
Between, Comming back to the question which i, posted yestrday , i m
sorry for not beign clear on my question .
For the follwing signature built-in the ../site/signatures.bro
signature s2b-719-7-BRO { /*a rename from s2b-719-7 to s2b-719-7-BRO */
ip-proto == tcp
src-port == 23
event "TELNET root login"
tcp-state established,responder
payload /.*login\x3A root/
}
I could find a log in the Signatures-xxx.log
1151508123.667965:SensitiveSignature:10.50.27.117:23/tcp:10.50.25.122:2089/tcp:s2b-719-7-BRO:10.50.27.117:
TELNET root login:t::
But when i added the following coustom signature in
../site/signatures.bro
i could not find a log in Signatures-xxx.log (The event occured i did a
login as anand )
/*Signature for the event when the user name is anand */
signature telnet_test{
ip-proto == tcp
src-port == 23
event "TELNET anand login"
tcp-state established,responder
payload /.*login: anand/
}
i did try bro -s ../site/signatures.bro ! there was no response .. i had
to do a ctrl + c !
Could someone help me on this !! 
Thanks ,
Anand