Signature payload matching

Hi all,

I’m working for automation of signature generation for Bro from pcap trace files.
I would like to know if the matching of the payload as a condition is done against all the session data or more like per packet matching.


It's matched against the reassembled session payload. There's some
more information on details of the matching process here: