Hi all,
I’m working for automation of signature generation for Bro from pcap trace files.
I would like to know if the matching of the payload as a condition is done against all the session data or more like per packet matching.
Thanks
It's matched against the reassembled session payload. There's some
more information on details of the matching process here:
http://www.bro-ids.org/documentation/signatures.html
Robin