Bro <-> Snort documentation

signature kazaa-seen {
  ip-proto == tcp
  dst-ip == whatever
  dst-port == whatever (or omitted, I guess)
  payload /.*kazaa regular expression/
  eval function_to_execute_when_kazaa_seen
  event "kazaa seen"

The 'eval' & the 'event' are somewhat confusing. I presume that the
'signature_match' event is triggered with the string for action, but
when is the 'eval' called (before the event, or after), and with what

The function specified by "eval" is called before the signature is determined
to have triggered. It's passed in the signature_state just as is
signature_match. It returns a boolean, which must be T for the signature
to trigger.

For an example, see sig.ex.ssl-worm.bro and policy/ssl-worm.bro.