signature match


I am working with bro-0.9 signatuers. Please let me know where exactly the
packets is being compared against the all the available signatuers.
Once a signature is matched i want to get the rule->ID( ) of that signature.

When i am using the below piece of code from
                        loop_over_list(accepted, i)
      Rule* r = Rule::rule_table[accepted[i] - 1];

                          #ifdef MATCHER_PRINT_DEBUG
         fprintf(stderr, "%.06f Checking rule: %s\n",
network_time, r->id);

the rule->id's of previously matched signatues are bing displayed.

please help me in this regard.


The method RuleMatcher::ExecRuleActions() might be the best entry
point for you. It's called when a signature matches for the first
time on a certain connection, and triggers actions like raising the
signature_match event.

Depending on what exactly you want to do, you may also consider a
writing a new RuleAction. See class RuleActionEvent as an example.