Hi,
I get a little confused about content conditions for Bro signature. I’m working to automate generation of signature compliant with Bro.
I would like to know how Bro behaves in two cases. I tried to provide many content-conditions for one signature. Let’s say that I want to detect the following patterns in a stream (just some examples):
1- common
2- attack
3- vulnerabilities
If i use the following condition, it will detect all occurrences of common followed by attack and vulnerabilities,
payload /.*common.*attack.vulnerabilities./
What if I use a combination of those expressions:
payload /*common.attack./
payload /vulnerabilities/
I looked around, but did not find anything to help me understand how the signature engine will behave in these cases.
Thanks in advance for your help.
R. ALAHASSA