Bro Signatures


1 - What’s the difference between these type of signature ?
What I’m trying to understand is when it could become handy to split the payload over many regular expressions.

signature sid-542{
ip-proto = tcp
payload /.* EHLO *. MAIL FROM *./
event sid-542

signature sid-543{
ip-proto = tcp
payload /.EHLO./
payload /*. MAIL FROM *./
event sid-543

Is the order of appearance of signature attributes important for bro to trigger an alert ?

Thanks for your help.