signature match

Jai_Prakash_D_R · November 29, 2006, 12:10pm

Hi,

I am working with bro-0.9 signatuers. Please let me know where exactly the
packets is being compared against the all the available signatuers.
Once a signature is matched i want to get the rule->ID( ) of that signature.

When i am using the below piece of code from RuleMatcher.cc

                        loop_over_list(accepted, i)
    {
      Rule* r = Rule::rule_table[accepted[i] - 1];

                          #ifdef MATCHER_PRINT_DEBUG
         fprintf(stderr, "%.06f Checking rule: %s\n",
network_time, r->id);
                          #endif
                      }

the rule->id's of previously matched signatues are bing displayed.

please help me in this regard.

Regards
Prakash.

robin · November 30, 2006, 3:05am

The method RuleMatcher::ExecRuleActions() might be the best entry
point for you. It's called when a signature matches for the first
time on a certain connection, and triggers actions like raising the
signature_match event.

Depending on what exactly you want to do, you may also consider a
writing a new RuleAction. See class RuleActionEvent as an example.

Robin

Topic		Replies	Views
signature match bug Zeek	2	90	May 6, 2022
Segmentation fault with RuleMatcher Zeek	7	90	May 6, 2022
multiple logs for a signature Zeek	2	78	May 6, 2022
signature match script Zeek	4	89	May 6, 2022
Getting matched substrings ??? Zeek	4	101	May 6, 2022

signature match

Related topics