Regarding signatures

Zeek
1

Hi all,

      I am having trouble matching same signature for packets in different connections,its matching one connection but its not matching for another connection but the packets have same payload.

The signature that is to be matched is the following:
signature gtalk_test {
  event "gtalk test received"
  payload /\x17\x03\x01/
}

I tried the following signature also

signature gtalk_one {
  event "gtalk one received"
  payload /.{0,0}\x17/
  payload /.{1,1}\x03/
  payload /.{2,2}\x00/
}

The pcap that is not matching is attached along with this mail.

can any one help me to know how the signature matching happens in bro-1.2.1

                                      Thanks
                                      Ayyappa

jabber-matched.pcap.pcap (987 Bytes)

jabber-unmatched.pcap.pcap (699 Bytes)

2

I am having trouble matching same signature for packets in
different connections,its matching one connection but its not
matching for another connection but the packets have same payload.

(Sorry for the delay in getting back to this.)

It actually works fine for me:

cat a.sig

signature gtalk_test {
event "gtalk test received"
payload /\x17\x03\x01/
}

bro -r jabber-matched.pcap.pcap -s ./a.sig signatures

1165632085.395097 SensitiveSignature 192.168.0.3: gtalk test received

bro -r jabber-unmatched.pcap.pcap -s ./a.sig signatures

1165670194.604938 SensitiveSignature 216.239.37.125: gtalk test received

What's the command line you're using?

Robin