I get a little confused about content conditions for Bro signature. I’m working to automate generation of signature compliant with Bro.
I would like to know how Bro behaves in two cases. I tried to provide many content-conditions for one signature. Let’s say that I want to detect the following patterns in a stream (just some examples):
If i use the following condition, it will detect all occurrences of common followed by attack and vulnerabilities,
What if I use a combination of those expressions:
I looked around, but did not find anything to help me understand how the signature engine will behave in these cases.
Thanks in advance for your help.