Bro <-> Snort documentation

I sent this to Vern, but thought a wider audience might be interested,
or have some answers.

Thanks Vern:

I'm planning on using the snort engine to extend KO (Kazaa
Obliterator). It looks like I could use a policy script like this:

signature kazaa-seen {
  ip-proto == tcp
  dst-ip == whatever
  dst-port == whatever (or omitted, I guess)
  payload /.*kazaa regular expression/
  eval function_to_execute_when_kazaa_seen
  event "kazaa seen"

The 'eval' & the 'event' are somewhat confusing. I presume that the
'signature_match' event is triggered with the string for action, but
when is the 'eval' called (before the event, or after), and with what
args? Presumably the connection information is available. I haven't
seen any running examples of the signature event. Do you have some