signature kazaa-seen {
ip-proto == tcp
dst-ip == whatever
dst-port == whatever (or omitted, I guess)
payload /.*kazaa regular expression/
eval function_to_execute_when_kazaa_seen
event "kazaa seen"
}The 'eval' & the 'event' are somewhat confusing. I presume that the
'signature_match' event is triggered with the string for action, but
when is the 'eval' called (before the event, or after), and with what
args?
The function specified by "eval" is called before the signature is determined
to have triggered. It's passed in the signature_state just as is
signature_match. It returns a boolean, which must be T for the signature
to trigger.
For an example, see sig.ex.ssl-worm.bro and policy/ssl-worm.bro.
Vern