Hi, everyone,
I have recently worked on some BRO-ID works, that is, I want to intercept some REST messages from net interface using signatures, and I found that I can only intercept a part of all of the messages, for example, I can use tshark to intercept, let’s say, 100 messages, but with BRO, there is only 50. And I have read the official document that says, “Each signature is reported at most once for every connection, further matches of the same signature are ignored”. I just want to know is their any chance to change this situation? or did I configure something wrong?
Regards,
Sherry from China