Hi,
1 - What’s the difference between these type of signature ?
What I’m trying to understand is when it could become handy to split the payload over many regular expressions.
signature sid-542{
ip-proto = tcp
payload /.* EHLO *. MAIL FROM *./
event sid-542
}
signature sid-543{
ip-proto = tcp
payload /.EHLO./
payload /*. MAIL FROM *./
event sid-543
}
Is the order of appearance of signature attributes important for bro to trigger an alert ?
Thanks for your help.