signature match bug

Vishal_Verma · February 7, 2007, 10:50am

I found this comment in RuleMatcher.cc.

// - Sometimes, the signature match event is generated after a
// connection_finished (or similar) event. Using the default ru
les.bro,
// this means that we will not see the rule id in the connectio
n summary.

I wanted to fix this bug. Can somebody tell me what's the basic problem
here... and any hints on the approach?

I'm new to Bro regex matching code... so any documentation in
understanding how Bro regex matching works would help too.

thanks
-y

robin · February 9, 2007, 12:59am

Hmm... I think the comment is out of date. These days the connection
summaries are generated by a connection_state_remove() handler in
conn.bro. I don't think a signature_match can be generated *after*
the connection_state_remove event (which is raised when the internal
connection state is flushed). So, seems there's nothing to fix.

Robin

Topic		Replies	Views
signature match Zeek	2	65	May 6, 2022
Data truncated in signature_match and misc questions Zeek	4	56	May 6, 2022
Segmentation fault with RuleMatcher Zeek	7	69	May 6, 2022
Losing events associated with Signature Matching Zeek	2	58	May 6, 2022
Getting matched substrings ??? Zeek	2	109	May 6, 2022

signature match bug

Related Topics