Hello,
It seem to be hard to do pattern-matching in Bro to find out a pattern in
normal packets (packets that don't init/terminate an event; or aren't in
part of protocol's command like "STOR xxx" in FTP but in content of file
xxx). For example, I want to alert any attemp of using command "su" on a
Telnet session; alert if any file uploaded via FTP that contains pattern of
a Worm...
Am I right if I say Bro only pays attention to "special" packets like those
above? If I'm not, please, drop me an example of policy script for the
Telnet case mentioned above./.
Hope to receive yours reply soon.
PS: I'm using Bro v0.6