Hello Bro Community,
I am looking for help in understanding more about Bro's signatures and
in troubleshooting a problem I have encountered.
I would like to write chains of signatures using 'requires-signature'
in hopes of easing maintainability and increasing signature matching
speed.
Below are the beginning of the chains I have written.
signature prematch_udp
{
ip-proto == udp
}
signature prematch_tcp
{
ip-proto == tcp
tcp-state established, originator
}
signature prematch_tcp_80
{
requires-signature prematch_tcp
dst-port == 80
}
signature evil
{
requires-signature prematch_tcp_80
payload /GET /
event "evil"
}
signature otherEvil
{
requires-signature prematch_tcp
dst-port == 8080
payload /GET /
event "otherEvil"
}
I understand a signature will 'fire' once per stream, but in this
scenario different signatures should be 'firing' for a single stream.
I have tested these signatures and cannot get them to match a stream
unless I remove the requires-signature options. Does anyone have any
advice or thoughts on why this would be happening?
Many thanks,
-AK