How to write a signature definition for (event_A AND event_ B)?

Hallo everybody,

I'm a new and unexperienced user of the really interesting BRO detection
framework. I want to write a signature definition for event A and B, which
triggers only after event A and B happend. My approach so far:

signature s1 {event "Pattern A"}

signature s2 {event "Pattern B"
   requires-signature s1
}

If i understood the documentation correctly, i can define an event sequence
with the "requires-signature" condition.

But this one only matches events (A, B) and not (B, A).

Is it possible to write an event expression (A AND B)?

Kind regards,
Bogdan.

Not directly with the signature language. You can however write a
Bro script (i.e., a script in Bro's primary language) which keeps
track of which signatures have matched so far. This way you can
implement arbitrary dependencies.

Robin