Pattern matching ?


It seem to be hard to do pattern-matching in Bro to find out a pattern in
normal packets (packets that don't init/terminate an event; or aren't in
part of protocol's command like "STOR xxx" in FTP but in content of file
xxx). For example, I want to alert any attemp of using command "su" on a
Telnet session; alert if any file uploaded via FTP that contains pattern of
a Worm...

Am I right if I say Bro only pays attention to "special" packets like those
above? If I'm not, please, drop me an example of policy script for the
Telnet case mentioned above./.

Hope to receive yours reply soon.

PS: I'm using Bro v0.6