Hello,
I am having trouble using signatures on bro. Lets say we have the following signature
signature s2b-99999-9 {
ip-proto == tcp
#dst-port == 80
#dst-port == http_ports
tcp-state established
event "Sample Signature"
}
when I using "dst-port == 80" everything goes seems to work. By 'work' I mean that bro generates plenty of warnings placing them on signatures.log, however, if we replace "st-port == 80" for "dst-port == http_ports" and throw it again against the same trace, we no longer get any warnings.
http_ports is declared on $BROPATH/policy/snort.bro as:
const http_ports = { 80/tcp, 8000/tcp, 8001/tcp, 8080/tcp };
I assume snort..bro is loaded correctly since otherwise throws non-declaration errors. It is loaded it on my hostname.bro file which I use when running bro.
Also, does anybody know whether next release will implement other regular expression matching library? I am trying to update snort2bro to support the snort pcre, however it is not a trivial task.
Any suggestions?
Thank you!
Miguel
