Bro signatures


I get a little confused about content conditions for Bro signature. I’m working to automate generation of signature compliant with Bro.

I would like to know how Bro behaves in two cases. I tried to provide many content-conditions for one signature. Let’s say that I want to detect the following patterns in a stream (just some examples):

1- common
2- attack
3- vulnerabilities

If i use the following condition, it will detect all occurrences of common followed by attack and vulnerabilities,

payload /.*common.*attack.vulnerabilities./

What if I use a combination of those expressions:

payload /*common.attack./
payload /vulnerabilities/

I looked around, but did not find anything to help me understand how the signature engine will behave in these cases.

Thanks in advance for your help.


Both need to match, but independently. I.e, it's ok if
/vulnerabilities/ matches before (or even overlapping with).